<![CDATA[Hamza Noweder's Blog]]>https://blog.noweder.comRSS for NodeWed, 08 Apr 2026 11:18:54 GMT60<![CDATA[Provisioning an Amazon ECS Cluster Using Terraform]]>https://blog.noweder.com/provisioning-an-amazon-ecs-cluster-using-terraformhttps://blog.noweder.com/provisioning-an-amazon-ecs-cluster-using-terraformThu, 20 Mar 2025 22:54:39 GMTDescription

Terraform is an infrastructure-as-code tool that makes handling infrastructure more straightforward and manageable. A Terraform module is a collection of configuration files that encapsulate groups of resources dedicated to one task. Modules can be used to package and reuse resource configurations, making it easier to manage larger application components like an Amazon ECS Cluster.

In this demo, you will provision an Amazon ECS Cluster into an existing Amazon VPC.

Learning objectives

  • Define a Terraform module that deploys Amazon ECS resources

  • Apply an Auto Scaling Group Policy to respond to ECS metrics

  • Deploy an Amazon ECS Cluster into an existing Amazon VPC using Terraform

Prerequisites

  • IDE with configured IAM credentials

  • Installed Terraform with IDE

  • cloning repo: https://github.com/noweder/ECS-Terraform.git

  • Below resources pre-created in your AWS account to be referenced in later steps:

    • 1 Virtual Private Cloud

    • 2 Public Subnets

    • 2 Private Subnets

    • Public-facing Application Load Balancer

    • Internal-facing Application Load Balancer

Target Architecture

Demo Steps

  • Initiate Terraform by running the following command from the cloned directory path: terrafrom init

  • Reviewing the Terraform Variables file

    The variables.tf file defines the name, description, and expected data type for each variable referenced in the main.tf file. Feel free to review the data types of each variable.

    You will configure the terraform.tfvars file in the next step. This file will include the actual values for each variable. These values will be retrieved from the existing infrastructure.

    The outputs.tf file defines the expected output values for the deployment. In this demo, the CloudWatch Log Group names and the ECS Cluster ARN will be output after a successful deployment.

  • Defining an Amazon ECS Cluster Using Terraform

    In this step, you will configure an Amazon ECS cluster, service, and task definition in the main Terraform configuration file. This lab step will also explore the terraform.tfvars file that provides configuration values to the ECS Cluster.

    The ECS Cluster will contain two ECS Services.

    A frontend service will deploy tasks (containers) behind the public-facing Application Load Balancer (ALB) and in each of the public subnets. These tasks are based on an existing ECR image that serves a simple webpage and data retrieved from the backend.

    The backend service tasks will be behind the internal-facing application load balancer, inside each private subnet. The ECR image used for the backend service generates sample data that is passed to the frontend service.

    Once the ECS Cluster is deployed, you will be able to access the entire application by navigating to the public ALB's URL.

    Double-click the terraform.tfvars file to open it in the editor, then paste in the following configuration values:

    •   app_name = "lab"
  ecs_role_arn = "arn:aws:iam::574227279091:role/lab-ecs-task-execution-role"
  ecs_services = {
    frontend = {
      image          = "574227279091.dkr.ecr.us-west-2.amazonaws.com/frontend:1.0.0"
      cpu            = 256
      memory         = 512
      container_port = 8080
      host_port      = 8080
      desired_count  = 2
      is_public      = true
      protocol       = "HTTP"
      auto_scaling = {
        max_capacity    = 3
        min_capacity    = 2
        cpu_threshold    = 50
        memory_threshold = 50
      }
    }
    backend = {
      image          = "574227279091.dkr.ecr.us-west-2.amazonaws.com/backend:1.0.0"
      cpu            = 256
      memory         = 512
      container_port = 8080
      host_port      = 8080
      desired_count  = 2
      is_public      = false
      protocol       = "HTTP"
      auto_scaling = {
        max_capacity    = 3
        min_capacity    = 2
        cpu_threshold    = 75
        memory_threshold = 75
      }
    }
  }
  internal_alb_dns = "internal-lab-internal-400236659.us-west-2.elb.amazonaws.com"
  private_subnet_ids = [
    "subnet-0198a9e41d0bca224",
    "subnet-017d8d0f81ff2975e"
  ]
  public_subnet_ids = [
    "subnet-05f01cddf0795094f",
    "subnet-097cabee00a37f8b5"
  ]
  security_group_ids = [
    "sg-020dd20b13ae12807",
    "sg-0269de162c343c363"
  ]
  target_group_arns = {
    backend = {
      arn = "arn:aws:elasticloadbalancing:us-west-2:574227279091:targetgroup/backend-tg/8798f2ad7abee6f8"
    }
    frontend = {
      arn = "arn:aws:elasticloadbalancing:us-west-2:574227279091:targetgroup/frontend-tg/5d5b9e91c3b1ba49"
    }
  }

The most important value defined in this file is the ecs_services map. This map of objects includes the frontend and backend service configurations. The use of maps, objects, and lists allows you to template an application effectively. Terraform provides meta-arguments such as for_each, that can be used to traverse a map or list to reduce the number of resources defined in your main.tf file.

  • Open the main.tf file and paste below code at the end:

      resource "aws_ecs_cluster" "ecs_cluster" {
    name = lower("${var.app_name}-cluster")
  }

  # ECS Services
  resource "aws_ecs_service" "service" {
    for_each = var.ecs_services
    name            = "${each.key}-service"
    cluster         = aws_ecs_cluster.ecs_cluster.id
    task_definition = aws_ecs_task_definition.ecs_task_definition[each.key].arn
    launch_type     = "FARGATE"
    desired_count   = each.value.desired_count
    network_configuration {
      subnets          = each.value.is_public == true ? var.public_subnet_ids : var.private_subnet_ids
      assign_public_ip = each.value.is_public
      security_groups  = var.security_group_ids
    }
    load_balancer {
      target_group_arn = var.target_group_arns[each.key].arn
      container_name   = each.key
      container_port   = each.value.container_port
    }
  }

  # ECS Task Definitions
  resource "aws_ecs_task_definition" "ecs_task_definition" {
    for_each = var.ecs_services
    family                   = "${lower(var.app_name)}-${each.key}"
    execution_role_arn       = var.ecs_role_arn
    requires_compatibilities = ["FARGATE"]
    network_mode             = "awsvpc"
    memory                   = each.value.memory
    cpu                      = each.value.cpu
    container_definitions = jsonencode([
      {
        name      = each.key
        image     = each.value.image
        cpu       = each.value.cpu
        memory    = each.value.memory
        essential = true
        environment = [
          { name = "INTERNAL_ALB", value = var.internal_alb_dns },
          { name = "SERVICE_HOST", value = var.internal_alb_dns },
          { name = "SERVER_SERVLET_CONTEXT_PATH", value = each.value.is_public == true ? "/" : "/${each.key}" },
          { name = "SERVICES", value = "backend" },
          { name = "SERVICE", value = each.key },
          { name = "SERVICE_NAME", value = each.key }
        ]
        portMappings = [
          {
            containerPort = each.value.container_port
          }
        ]
        logConfiguration = {
          logDriver = "awslogs"
          options = {
            awslogs-group         = "${lower(each.key)}-logs"
            awslogs-region        = data.aws_region.current.name
            awslogs-stream-prefix = var.app_name
          }
        }
      }
    ])
  }

    The first resource is an ECS Cluster. The cluster is named lab-cluster after retrieving the app_name variable from the terraform.tfvars file.

    The ECS Service definition uses the for_each meta-argument to create one service for each object defined in the ecs_services variable. The each.key will resolve to frontend and backend. Instances of each.value are followed by the corresponding attribute name of the object. The desired_count of tasks for each service uses each.value.desired_count and resolves to 2. Surrounding these dynamic calls with ${ } allows you to resolve and concatenate the value into a string, i.e. name = frontend-service.

    The network_configuration references the is_public attribute of each ECS service to determine which subnet to deploy the services into. For each service, if this attribute is set to true, the service is deployed into the public subnets, and each task is assigned a public IP address. If set to false, no public IP is assigned, and the service is deployed into the private subnets.

    The target_group_arns map determines which ALB each service is associated with. The backend target group is associated with the internal ALB, which is not publicly accessible. The frontend target group is associated with the public ALB since it will serve the application's webpage.

    The ecs_task_definition resource defines the tasks, or containers, within each ECS service. All ECS tasks are set to the Fargate launch type and assume the same task execution IAM Role. This role provides the task agent with permission to perform AWS API calls on your behalf.

    container_definitions include which ECR image to use, CPU and memory configurations, as well as environment variables to be passed into the container. The environment variables in this task definition will be referenced by both frontend and backend services and are specific to the ECR image used in this lab.

    The task portMappings allow the containers to access the container port to send or receive traffic. Data will travel between frontend and backend tasks using this port.

    Finally, the logConfiguration defines the awslogs log driver which is used to send logs from the containers to Amazon CloudWatch Logs. The options define which CloudWatch Logs Group and AWS Region to send logs to.

  • Applying CloudWatch Monitoring and Auto Scaling to an ECS Cluster With Terraform

    • In this lab step, you will define CloudWatch Logs that store container logs for each of the ECS Services. You will also configure your ECS Services with Auto Scaling Group policies that scale the service task count in or out depending on certain ECS metrics.

    • Paste the following code to the end of the main.tf file:

        # CloudWatch Log Groups
  resource "aws_cloudwatch_log_group" "ecs_cw_log_group" {
    for_each = toset(keys(var.ecs_services))
    name     = lower("${each.key}-logs")
  }

  # ECS Auto Scaling Configuration
  resource "aws_appautoscaling_target" "service_autoscaling" {
    for_each = var.ecs_services
    max_capacity       = each.value.auto_scaling.max_capacity
    min_capacity       = each.value.auto_scaling.min_capacity
    resource_id        = "service/${aws_ecs_cluster.ecs_cluster.name}/${aws_ecs_service.service[each.key].name}"
    scalable_dimension = "ecs:service:DesiredCount"
    service_namespace  = "ecs"
  }

  # Auto Scaling Policies
  resource "aws_appautoscaling_policy" "ecs_policy_memory" {
    for_each = var.ecs_services
    name               = "${var.app_name}-memory-autoscaling"
    policy_type        = "TargetTrackingScaling"
    resource_id        = aws_appautoscaling_target.service_autoscaling[each.key].resource_id
    scalable_dimension = aws_appautoscaling_target.service_autoscaling[each.key].scalable_dimension
    service_namespace  = aws_appautoscaling_target.service_autoscaling[each.key].service_namespace
    target_tracking_scaling_policy_configuration {
      predefined_metric_specification {
        predefined_metric_type = "ECSServiceAverageMemoryUtilization"
      }
      target_value = each.value.auto_scaling.memory_threshold
    }
  }
  resource "aws_appautoscaling_policy" "ecs_policy_cpu" {
    for_each = var.ecs_services
    name               = "${var.app_name}-cpu-autoscaling"
    policy_type        = "TargetTrackingScaling"
    resource_id        = aws_appautoscaling_target.service_autoscaling[each.key].resource_id
    scalable_dimension = aws_appautoscaling_target.service_autoscaling[each.key].scalable_dimension
    service_namespace  = aws_appautoscaling_target.service_autoscaling[each.key].service_namespace
    target_tracking_scaling_policy_configuration {
      predefined_metric_specification {
        predefined_metric_type = "ECSServiceAverageCPUUtilization"
      }
      target_value = each.value.auto_scaling.cpu_threshold
    }
  }

    • In this lab step, you will deploy and test your ECS application using the Terraform CLI.

      1. In the browser IDE terminal, enter the following command to validate and summarize your deployment:

        Copy code

         terraform plan -no-color > plan.txt

        The command will send the output to the plan.txt file rather than displaying it in the terminal. There will be a total of 13 resources outlined in this plan and sorted in alphabetical order.

        This command also runs terraform validate before outputting the plan. Any misaligned variable types or misconfigured resources will be output if found.

        Feel free to explore this file and the resolved resource values.

      2. Enter the following command to deploy your ECS Cluster:

        Copy code

         terraform apply --auto-approve

        Note: The terraform apply process will take a few seconds to apply the changes to AWS, but the ECS Cluster may take up to 3 minutes to become accessible.

        The following message will display in the terminal, along with the predefined output variables:

        1. Open the ALB URL in a new browser tab to confirm the application is running

          The application is a simple API Results webpage. Each time you refresh the page, the frontend ECS tasks retrieve a new set of data from the backend tasks, then display them in a table organized by Record ID

Summary

By completing this lab, you have accomplished the following tasks:

  • Defined a Terraform module that deploys Amazon ECS resources

  • Applied an Auto Scaling Group Policy to respond to ECS metrics

  • Deployed an Amazon ECS Cluster into an existing Amazon VPC using Terraform

]]><![CDATA[Create an EKS Cluster with Nginx Application on AWS]]>https://blog.noweder.com/create-an-eks-cluster-with-nginx-application-on-awshttps://blog.noweder.com/create-an-eks-cluster-with-nginx-application-on-awsMon, 03 Feb 2025 17:57:56 GMTIntroduction

Amazon Elastic Kubernetes Service (Amazon EKS) is a managed Kubernetes service that makes it easy for you to run Kubernetes on AWS and on-premises. Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. Amazon EKS is certified Kubernetes-conformant, so existing applications that run on upstream Kubernetes are compatible with Amazon EKS.

Amazon EKS automatically manages the availability and scalability of the Kubernetes control plane nodes responsible for scheduling containers, managing application availability, storing cluster data, and other key tasks.

In this blog, I will step you through the process of deploying an nginx web server on EKS cluster.

Pre-requisites

  • AWS Account

Step 1: Creating an IAM User with Admin Permissions

  • Go to IAM > Users and click on "Add users"

  • Specify the username for example k8s-admin, enable Programmatic access, and hit Next.

  • Click on Attach existing policies directly and select the AdministratorAccess policy.

  • Proceed till the end and click on Create user

  • Copy both Access key ID and Secret access key and save them for later use.

Step 2: Launching an EC2 Instance and Configuring the required CLI Tools

In this step, we will start by creating an EC2 instance, updating the AWS CLI version, and configuring the AWS CLI using the credentials of the user created in the previous step. We will then install both eksctl and kubectl on that EC2 instance. This instance will act as an admin workstation to run all administrative commands from.

  • Go to EC2 service and click on Launch instance.

  • Follow below instructions:

    • Set Name: k8s-admin

    • Select AMI: Amazon Linux 2 AMI

    • Keep the default Instance Type t2.micro

    • Create new key pair with you preferred name and download it (Note: Select .ppk format if you are using Putty)

    • Edit Network Settings and enable Auto-assign public IP

    • Keep other settings as is and click Launch instance

  • Wait till the Status check turns into 2/2 checks passed and then click on Connect. Choose EC2 Instance Connect and press on Connect button to access the EC2 instance terminal.

  • Follow the instructions from the AWS documentation here or follow the below steps to update the AWS CLI version:

    • Download the latest AWS CLI version
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
  • Unzip the installer
unzip awscliv2.zip
  • Run following to update the current version:
sudo ./aws/install --bin-dir /usr/bin --install-dir /usr/local/aws-cli --update
  • Verify version is updated
aws --version

image.png

  • Run aws configure and set below values:

    • AWS Acsess Key ID and AWS Secret Access Key from previous step

    • Default Region name: us-east-1

    • Default output format: json

  • Install kubectl with following commands:

curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.16.8/2020-04-16/bin/linux/amd64/kubectl
chmod +x ./kubectl
mkdir -p $HOME/bin && cp ./kubectl $HOME/bin/kubectl && export PATH=$PATH:$HOME/bin
  • Ensure kubectl is installed
kubectl version --short --client
  • Install and configure eksctl
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
sudo mv /tmp/eksctl /usr/bin
  • Ensure eksctl is installed
eksctl version

Step 3: Provisioning an EKS Cluster

  • Provision an EKS cluster with three worker nodes in us-east-1
eksctl create cluster --name dev --region us-east-1 --nodegroup-name standard-workers --node-type t3.medium --nodes 3 --nodes-min 1 --nodes-max 4 --managed

It will take 10–15 minutes since it's provisioning the control plane and worker nodes, attaching the worker nodes to the control plane, and creating the VPC, security group, and Auto Scaling group.

  • After the process is fully completed, check the cluster status by running the following command
eksctl get cluster

image.png

  • Enable connecting to the cluster
aws eks update-kubeconfig --name dev --region us-east-1

Step 4: Creating an Nginx Deployment on the EKS Cluster

  • Install Git
sudo yum install -y git
  • Download the configuration files
git clone https://github.com/noweder/EKS-with-Nginx.git
  • Move to the directory with configuration files
cd EKS-with-Nginx
  • Create the Load Balancer service
kubectl apply -f ./nginx-svc.yaml
  • Check the Load Balancer service status and copy the external DNS hostname of the load balancer, and paste it into a text file for later use
kubectl get service

image.png

  • Create the deployment of 3 pods (3 Nginx containers)
kubectl apply -f ./nginx-deployment.yaml
  • Check the deployment status
kubectl get deployment

image.png

  • View the created pods
kubectl get pod

image.png

  • View the ReplicaSets
kubectl get rs

image.png

  • View the EC2 worker nodes
kubectl get node

image.png

  • Finally, you can access the Nginx application using the load balancer DNS address previously copied on a web browser, or by running the below command in CLI replacing <LOAD_BALANCER_DNS_HOSTNAME> with your specific Load Balancer DNS address
curl <LOAD_BALANCER_DNS_HOSTNAME>

image.png

image.png

If you get above results, it means that you have successfully accessed the Nginx application running in container which is deployed in the EKS cluster and exposed to the internet via the load balancer service.

Thank you for reading!

]]><![CDATA[AWS DevOps Team Strategy]]>https://blog.noweder.com/aws-devops-team-strategyhttps://blog.noweder.com/aws-devops-team-strategyFri, 02 Feb 2024 20:15:11 GMTIn this article, I will briefly define what is DevOps, then we will discuss the suggested strategy to manage and automate DevOps teamwork in the context of AWS Team.

What is DevOps?

DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. This speed enables organizations to better serve their customers and compete more effectively in the market. Below are the main benefits of DevOps:

  • Collaboration

  • Improved delivery

  • Security

  • Speed

  • Scale

  • Reliability

The Strategy

In order to automate and manage the AWS DevOps teamwork, we would need to split our strategy into below main parts:

Part 1: The AWS Technology Stack

As an AWS Team, we need to focus on the below AWS native services:

  • Continuous Integration / Continuous Deployment (CI/CD):

    • AWS CodeCommit: Fully managed SCM service

    • AWS CodeBuild: To build and test the code

    • AWS CodeDeploy: For application deployment within AWS infrastructure

    • AWS CodePipeline: Is the glue which binds these services together. It's a orchestration tool which links all these products and automates the process end-to-end

  • Continuous Monitoring and Improvement:

    • Amazon CloudWatch: Fully managed monitoring service for AWS applications and resources. It can be used to collect and track metrics and logs, create alarms and automatically react to any change in AWS resources.

  • AWS X-Ray: Is a tracing service for analyzing the performance of applications/services and helps identify any issues.

  • AWS CloudTrail: Is a product which logs API calls and account events. It is used to diagnose security or performance issues, or to provide quality account level traceability.

  • Infrastructure and Application Deployment:

  • AWS CloudFormation: To automate infrastructure provisioning. This can avoid human errors and can be used repeatedly and at scale.

  • AWS Elastic Beanstalk: To deploy web applications at scale without managing the underlying infrastructure

  • Configuration Management:

  • AWS OpsWorks: Provides managed implementations of Puppet and Chef in a product which integrates with other AWS Products and services.

  • AWS Systems Manager: Allows you to manage applications and infrastructure running in AWS

  • DevSecOps: Security checks should be embedded in every below step of the CI/CD pipeline

  • Code

  • Build

  • Test

  • Deploy

  • Provision

  • Monitor

Part 2: DevOps Team Skills Development

The DevOps landscape is constantly evolving and there are new and updated tools being developed all the time. Hence, the DevOps team should be always in a continuous learning mode.

Although the below is not a comprehensive list and is subject to change for the above mentioned reason, these are the main technologies that should be focused on by the DevOps team for continuous upskilling in my humble opinion:

  • Programming and Scripting Languages:

  • Python

  • Go

  • Bash Scripting

  • Containerization - Docker / ECS

  • Container Orchestration - Kubernetes / EKS

  • Version Control - Git

  • IaC:

  • Terraform

  • Pulumi

  • AWS CDK

  • Configuration Management - Ansible

  • Monitoring and Observability:

  • Prometheus - Monitoring

  • Grafana - Visualization

  • ELK Stack - Log Management

  • AWS Serverless Products:

  • Lambda

  • API Gateway

  • SQS

  • SNS

  • DynamoDB

  • Fargate

  • Etc..

  • CI/CD Tools:

  • Jenkins

  • GitLab

  • GitHub Actions

  • CircleCI

  • TravisCI

  • GitOps - ArgoCD

  • System Design

Part 3: Project Management

For the project management aspect, the focus should be on Agile and Scrum methodologies. Below are one of the main tools that would be beneficial for managing DevOps team workflow:

  • JIRA

  • Asana

  • Trello

  • Slack - Collaboration

On the other hand, a good recommendation when hiring is to mix experienced people having a variety of backgrounds with new team members so that they can share their knowledge for the benefit of all.

]]><![CDATA[Using AWS Lambda to Revert Unauthorized Security Group Changes]]>https://blog.noweder.com/using-aws-lambda-to-revert-unauthorized-security-group-changeshttps://blog.noweder.com/using-aws-lambda-to-revert-unauthorized-security-group-changesSat, 14 Jan 2023 21:00:44 GMTIntroduction

In this blog, we will demonstrate how to proactively monitor a web server EC2 security group for any traffic rule changes using Lambda along with a few other services. If we detect any unauthorized changes, we will then undo them using Lambda. There will also be an SNS notification sent out to the admins, which is us.

In this activity we will be working with the following AWS services:

  • Lambda

  • SNS

  • CloudTrail

  • CloudWatch

  • CloudFormation

  • EC2

  • VPC

  • S3

This scenario is a working example of how we can use Lambda to perform various operational tasks within our account, especially ones that maintain our security posture.

Architecture

The below diagram illustrates the high-level architecture and the steps to be followed in sequence.

Prerequisites

  • An AWS account

  • An existing VPC such as the default VPC

Steps

Create Your CloudTrail Trail

Navigate to the CloudTrail service. From the left-hand menu, access Trails and click on Create trail.

  1. Specify your desired name for the trail

  2. For Storage location section, choose New S3 bucket and keep the default generated name. This will create an S3 bucket to load API event trail logs.

  3. Enable CloudWatch Logs to create a log group to which the trail will send events.

  4. Choose Event type as Management events

  5. Choose API activity to log both Read and Write activities.

  6. Leave other settings as is and finally click Create trail.

Deploy the CloudFormation Template

The CloudFormation template will create several resources:

  • A web security group that is monitored for any changes

  • An IAM role attached to the Lambda function as an execution role with permissions to remove any changes to the security group inbound rules.

  • A Lambda Permission which allows CloudWatch Events to invoke the Lambda function

  • A Lambda function that revokes any changes to the web security group and publishes a message to an SNS topic

  • A CloudWatch Event Rule that captures security group change events and triggers the Lambda function (Note: CloudWatch Events is now Amazon EventBridge)

  • SNS topic with an email subscription to send an email notification when the Lambda function is invoked

Follow the below steps to deploy these resources:

  1. Using your preferred code editor, create a .yaml file with the below CloudFormation template.
---
AWSTemplateFormatVersion: 2010-09-09
Description: |
  Creates the resources necessary to create a rule to monitor and
  auto-mitigate security group change events

Metadata:
  License:
    Description: |
      Copyright 2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.

      Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at

          http://aws.amazon.com/apache2.0/

      or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: Settings
        Parameters:
          - NotificationEmailAddress

    ParameterLabels:
      NotificationEmailAddress:
        default: Send notifications to

Parameters:

  NotificationEmailAddress:
    Description: |
      This is the email address that will receive change notifications. You will
      receive a confirmation email that you must accept before you will receive
      notifications.
    Type: String

Conditions:

  AddEmailNotificationSubscription:
    !Not [!Equals [!Ref NotificationEmailAddress, ""]]

Resources:

  WebServerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow HTTPS access to web servers
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 443
        ToPort: 443
        CidrIp: 0.0.0.0/0
      Tags:
        - Key: Name
          Value: Web Server Security Group

  SecurityGroupChangeAutoResponseRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        -
          PolicyName: SecurityGroupModification
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              -
                Sid: AllowSecurityGroupActions
                Effect: Allow
                Action:
                  - ec2:RevokeSecurityGroupIngress
                Resource: !Sub arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:security-group/${WebServerSecurityGroup.GroupId}
              -
                Sid: AllowSnsActions
                Effect: Allow
                Action:
                  - sns:Publish
                Resource: !Ref SnsTopicForCloudWatchEvent

  SecurityGroupChangeAutoResponse:
    Type: AWS::Lambda::Function
    Properties:
      Description: Responds to security group changes
      Handler: index.lambda_handler
      MemorySize: 1024
      Role: !GetAtt SecurityGroupChangeAutoResponseRole.Arn
      Runtime: python3.9
      Timeout: 60
      Environment:
        Variables:
          security_group_id: !GetAtt WebServerSecurityGroup.GroupId
          sns_topic_arn: !Ref SnsTopicForCloudWatchEvent
      Code:
        ZipFile: |
          import os, json, boto3

          #===============================================================================
          def lambda_handler(event, context):

              print(event)

              # Ensure that we have an event name to evaluate.
              if 'detail' not in event or ('detail' in event and 'eventName' not in event['detail']):
                  return {"Result": "Failure", "Message": "Lambda not triggered by an event"}

              # Remove the rule only if the event was to authorize the ingress rule for the given
              # security group that was injected during CloudFormation execution.
              if (event['detail']['eventName'] == 'AuthorizeSecurityGroupIngress' and
                  event['detail']['requestParameters']['groupId'] == os.environ['security_group_id']):
                  result = revoke_security_group_ingress(event['detail'])

                  message = "AUTO-MITIGATED: Ingress rule removed from security group: {} that was added by {}: {}".format(
                          result['group_id'],
                          result['user_name'],
                          json.dumps(result['ip_permissions'])
                          )

                  boto3.client('sns').publish(
                    TargetArn = os.environ['sns_topic_arn'],
                    Message = message,
                    Subject = "Auto-mitigation successful"
                    )


          #===============================================================================
          def revoke_security_group_ingress(event_detail):

              request_parameters = event_detail['requestParameters']

              # Build the normalized IP permission JSON struture.
              ip_permissions = normalize_paramter_names(request_parameters['ipPermissions']['items'])

              response = boto3.client('ec2').revoke_security_group_ingress(
                  GroupId = request_parameters['groupId'],
                  IpPermissions = ip_permissions
                  )

              # Build the result
              result = {}
              result['group_id'] = request_parameters['groupId']
              result['user_name'] = event_detail['userIdentity']['arn']
              result['ip_permissions'] = ip_permissions

              return result


          #===============================================================================
          def normalize_paramter_names(ip_items):

              # Start building the permissions items list.
              new_ip_items = []

              # First, build the basic parameter list.
              for ip_item in ip_items:

                  new_ip_item = {
                      "IpProtocol": ip_item['ipProtocol'],
                      "FromPort": ip_item['fromPort'],
                      "ToPort": ip_item['toPort']
                  }

                  #CidrIp or CidrIpv6 (IPv4 or IPv6)?
                  if 'ipv6Ranges' in ip_item and ip_item['ipv6Ranges']:
                      # This is an IPv6 permission range, so change the key names.
                      ipv_range_list_name = 'ipv6Ranges'
                      ipv_address_value = 'cidrIpv6'
                      ipv_range_list_name_capitalized = 'Ipv6Ranges'
                      ipv_address_value_capitalized = 'CidrIpv6'
                  else:
                      ipv_range_list_name = 'ipRanges'
                      ipv_address_value = 'cidrIp'
                      ipv_range_list_name_capitalized = 'IpRanges'
                      ipv_address_value_capitalized = 'CidrIp'

                  ip_ranges = []

                  # Next, build the IP permission list.
                  for item in ip_item[ipv_range_list_name]['items']:
                      ip_ranges.append(
                          {ipv_address_value_capitalized : item[ipv_address_value]}
                          )

                  new_ip_item[ipv_range_list_name_capitalized] = ip_ranges

                  new_ip_items.append(new_ip_item)

              return new_ip_items

  SecurityGroupChangeAutoResponseLambdaPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      Principal: events.amazonaws.com
      FunctionName: !Ref SecurityGroupChangeAutoResponse

  TriggeredRuleForSecurityGroupChangeAutoResponse:
    Type: AWS::Events::Rule
    Properties:
      #Name: SecurityGroupChangeAutoResponse
      Description: Responds to security group change events
      EventPattern:
        detail:
          eventSource:
            - ec2.amazonaws.com
          eventName:
            - AuthorizeSecurityGroupIngress
            - AuthorizeSecurityGroupEgress
            - RevokeSecurityGroupEgress
            - RevokeSecurityGroupIngress
            - CreateSecurityGroup
            - DeleteSecurityGroup
      State: ENABLED
      Targets:
        -
          Arn: !GetAtt SecurityGroupChangeAutoResponse.Arn
          Id: TargetFunctionV1

  SnsTopicForCloudWatchEvent:
    Type: AWS::SNS::Topic
    Properties:
      DisplayName: Broadcasts message to subscribers

  SnsTopicSubscriptionForCloudWatchEvent:
    Type: AWS::SNS::Subscription
    Condition: AddEmailNotificationSubscription
    Properties:
      TopicArn: !Ref SnsTopicForCloudWatchEvent
      Endpoint: !Ref NotificationEmailAddress
      Protocol: email

  1. Navigate to CloudFormation service and click on Create stack.

  2. Click on Upload a template file from the Specify template section and choose the locally created .yaml file, then click Next.

  3. Specify your desired name of the stack.

  4. Enter your email address in the Parameters section under Send notifications to parameter.

  5. Leave everything else as is and click on Submit at the end.

  6. Once the stack status changes to CREATE_COMPLETE, you should receive an email from AWS to confirm the subscription to the SNS topic. Click on Confirm subscription link within the email bod

Test and Verify The Solution

Head to EC2 in the console and access Security Groups under Network & Security. Select the created Web Server Security Group and click on Edit inbound rules.

Click on Add rule. Select SSH as Type and Anywhere-IPv4 as the Source. Then click on Save rules.

Once this change is done, CloudTrail will catch this event and send it to CloudWatch, which will trigger the deployed event rule and pass the data to the Lambda function. The function will parse that data and do two things; it will remove the rule we added, and also publish to the SNS topic which will send an email to the defined email address.

Refresh the inbound rules and you will notice the newly added rule has been immediately removed!

You will also receive a notification email mentioning that the added ingress rule has been removed as shown below.

We can also view the metrics of the successful lambda function invocation from the Monitor menu of the function as shown below.

Until next time...

Thanks for reading!

]]><![CDATA[Automate Deploying a LAMP Stack Application using Ansible]]>https://blog.noweder.com/automate-deploying-a-lamp-stack-application-using-ansiblehttps://blog.noweder.com/automate-deploying-a-lamp-stack-application-using-ansibleWed, 09 Nov 2022 22:43:55 GMTWhat is Ansible?

Ansible is a software tool that provides simple but powerful automation for cross-platform computer support. It is primarily intended for IT professionals, who use it for application deployment, updates on workstations and servers, cloud provisioning, configuration management, intra-service orchestration, and nearly anything a systems administrator does on a weekly or daily basis. Ansible doesn't depend on agent software and has no additional security infrastructure, so it's easy to deploy.

In this project, we will use Ansible to deploy a LAMP stack web application on multi-node setup.

Pre-requisites

  • User with root privileges

  • 3 CentOS hosts on the same network. One will act the Ansible controller, and the other two will acts as target hosts. The hostnames should be configured as below to follow along:

    • ansible-controller
    • lamp-db
    • lamp-web

  • Ansible installed on ansible-controller host

  • /etc/hosts/ on ansible-controller host is configured with the IP addresses of the targets as below example

image.png

  • SSH Password-less login enabled between the ansible-controller host and the two target hosts

Steps

Step1: Create the project folder and access it by running below commands:

mkdir lamp-stack-playbooks
cd lamp-stack-playbooks

Step 2: Configure the inventory file

  • Create an inventory file
    vi inventory
  • Copy below lines and paste them in the inventory file. Also, make sure to replace and with your proper DB and Web hosts' IP addresses. In addition you need to specify the user and SSH private key path for both DB and WEB.
[db_servers]
lamp-db ansible_host=<YOUR-DB-HOST-IP> ansible_user=<DB_USER> ansible_ssh_private_key_file=<PATH_TO_DB_SSH_PRIVATE_KEY> mysqlservice=mysqld mysql_port=3306 dbname=ecomdb dbuser=ecomuser dbpassword=ecompassword

[web_servers]
lamp-web ansible_host=<YOUR-WEB-HOST-IP> ansible_user=<WEB_USER> ansible_ssh_private_key_file=<PATH_TO_WEB_SSH_PRIVATE_KEY> httpd_port=80 repository=https://github.com/noweder/lamp-app-ecommerce.git

Step 3: Prepare the configuration files

  • Create files sub-folder and move into it:

    mkdir files

  • Create MySQL Configuration file my.cnf under files folder:

    vi files/my.cnf
  • Paste the below lines inside my.cnf and save it:
    [mysqld]
innodb-buffer-pool-size=5242880
# datadir=/var/lib/mysql
# socket=/var/lib/mysql/mysql.sock
user=mysql
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
port=3306
  • Create another file named db-load-script.sql on the controller host under files folder:
    vi files/db-load-script.sql
  • Paste below lines inside db-load-script.sql file and save it:
USE ecomdb;
CREATE TABLE products (id mediumint(8) unsigned NOT NULL auto_increment,Name varchar(255) default NULL,Price varchar(255) default NULL, ImageUrl varchar(255) default NULL,PRIMARY KEY (id)) AUTO_INCREMENT=1;

INSERT INTO products (Name,Price,ImageUrl) VALUES ("Laptop","100","c-1.png"),("Drone","200","c-2.png"),("VR","300","c-3.png"),("Tablet","50","c-5.png"),("Watch","90","c-6.png"),("Phone Covers","20","c-7.png"),("Phone","80","c-8.png"),("Laptop","150","c-4.png");
  • Create index.php file on controller host under files folder
    vi files/index.php
    • Paste below code inside index.php file and make sure to replace <YOUR-DB-HOST-IP> with your specific DB Host IP address before saving it:
<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <meta http-equiv="X-UA-Compatible" content="IE=edge">
        <meta name="viewport" content="width=device-width, initial-scale=1">

        <title>E-Commerce Website</title>

        <!-- Favicon -->
        <link rel="icon" href="img/favicon.png" type="image/png" />
        <!-- Bootstrap CSS -->
        <link href="css/bootstrap.min.css" rel="stylesheet">
        <!-- Icon CSS-->
        <link rel="stylesheet" href="vendors/font-awesome/css/font-awesome.min.css">
        <link rel="stylesheet" href="vendors/linearicons/linearicons-1.0.0.css">
        <!-- Animations CSS-->
        <link rel="stylesheet" href="vendors/wow-js/animate.css">
        <!-- owl_carousel-->
        <link rel="stylesheet" href="vendors/owl_carousel/owl.carousel.css">

        <!-- Theme style CSS -->
        <link href="css/style.css" rel="stylesheet">
<!--        <link href="css/responsive.css" rel="stylesheet">  -->

        <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
        <!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
        <!--[if lt IE 9]>
          <script src="https://oss.maxcdn.com/html5shiv/3.7.3/html5shiv.min.js"></script>
          <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
        <![endif]-->
    </head>
    <body>
        <!--==========Main Header==========-->
        <header class="main_header_area">
            <nav class="navbar navbar-default navbar-fixed-top" id="main_navbar">
                <div class="container-fluid searchForm">
                    <form action="#" class="row">
                        <div class="input-group">
                            <span class="input-group-addon"><i class="lnr lnr-magnifier"></i></span>
                            <input type="search" name="search" class="form-control" placeholder="Type & Hit Enter">
                            <span class="input-group-addon form_hide"><i class="lnr lnr-cross"></i></span>
                        </div>
                    </form>
                </div>
                <div class="container">
                    <div class="row">
                    <!-- Brand and toggle get grouped for better mobile display -->
                    <div class="col-md-2 p0">
                        <div class="navbar-header">
                            <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1" aria-expanded="false">
                            <span class="sr-only">Toggle navigation</span>
                            <span class="icon-bar"></span>
                            <span class="icon-bar"></span>
                            <span class="icon-bar"></span>
                            </button>
                            <a class="navbar-brand" href="index.html">
                                <img src="img/logo.png" alt="">
                                <img src="img/logo-2.png" alt="">
                            </a>
                        </div>
                    </div>

                    <!-- Collect the nav links, forms, and other content for toggling -->
                    <div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
                        <div class="col-md-9 p0">
                            <ul class="nav navbar-nav main_nav">
                              <li><a href="#">Laptops</a></li>
                              <li><a href="#">Drones</a></li>
                                <li><a href="#">Gadgets</a></li>
                                <li><a href="#">Phones</a></li>
                                <li><a href="#">VR</a></li>
                                <li><a href="#">Contact us</a></li>
                            </ul>
                        </div>
                        <div class="col-md-1 p0">
                            <ul class="nav navbar-nav navbar-right">
                                <li><a href="#" class="nav_searchFrom"><i class="lnr lnr-magnifier"></i></a></li>
                            </ul>
                        </div>
                    </div><!-- /.navbar-collapse -->
                    </div>
                </div><!-- /.container-fluid -->
            </nav>
        </header>
        <!--==========Main Header==========-->

        <!--==========Slider area==========-->
        <section class="slider_area row m0">
            <div class="slider_inner">
                <div class="camera_caption">
                    <h2 class="wow fadeInUp animated">Make Your Shopping Easy</h2>
                    <h5 class="wow fadeIn animated" data-wow-delay="0.3s">Find everything accordingly</h5>
                    <a class="learn_mor wow fadeInU" data-wow-delay="0.6s" href="#product-list">Show Now!</a>
                </div>
            </div>
        </section>
        <!--==========End Slider area==========-->

        <section class="best_business_area row">
            <div class="check_tittle wow fadeInUp" data-wow-delay="0.7s" id="product-list">
                <h2>Product List</h2>
            </div>
            <div class="row it_works">
              <?php

                        $link = mysqli_connect('<YOUR_DB_HOST_IP>', 'ecomuser', 'ecompassword', 'ecomdb');

                        if ($link) {
                        $res = mysqli_query($link, "select * from products;");
                        while ($row = mysqli_fetch_assoc($res)) { ?>

                <div class="col-md-3 col-sm-6 business_content">
                    <?php echo '<img src="img/' . $row['ImageUrl'] . '" alt="">' ?>
                    <div class="media">
                        <div class="media-left">

                        </div>
                        <div class="media-body">
                            <a href="#"><?php echo $row['Name'] ?></a>
                            <p>Purchase <?php echo $row['Name'] ?> at the lowest price <span><?php echo $row['Price'] ?>$</span></p>
                        </div>
                    </div>
                </div>

                <?php
                        }
                    }
                    else {
                ?>
                <div style="width: 100%">
                <div class="error-content">

                    <h1>Database connection error</h1>
                    <p>
                    <?php
                          echo mysqli_connect_errno() . ":" . mysqli_connect_error();
                    ?>
                    </p>
                  </div>
                  </div>
                  <?php
                    }
                  ?>


            </div>
        </section>


        <footer class="footer_area row">
            <div class="container custom-container">



                <div class="copy_right_area">
                    <h4 class="copy_right">© Copyright 2019 Ecommerce Website | All Rights Reserved</h4>
                </div>
            </div>
        </footer>

        <!-- jQuery -->
        <script src="js/jquery-1.12.4.min.js"></script>
        <!-- Bootstrap -->
        <script src="js/bootstrap.min.js"></script>
        <!-- Wow js -->
        <script src="vendors/wow-js/wow.min.js"></script>
        <!-- Wow js -->
        <script src="vendors/Counter-Up/waypoints.min.js"></script>
        <script src="vendors/Counter-Up/jquery.counterup.min.js"></script>
        <!-- Stellar js -->
        <script src="vendors/stellar/jquery.stellar.js"></script>
        <!-- owl_carousel js -->
        <script src="vendors/owl_carousel/owl.carousel.min.js"></script>
        <!-- Theme js -->
        <script src="js/theme.js"></script>
    </body>
</html>

Step 3: Create a deploy-lamp-stack.yml playbook file under lamp-stack-playbooks and paste below code:

---

- name: Deploy lamp stack application
  hosts: all
  become: yes
  tasks:
    - name: Install common dependencies
      yum:
        name:
          - libselinux-python
          - libsemanage-python
          - firewalld
        state: installed

    # Install and Configure Database
- name: Deploy DB of the application
  hosts: lamp-db
  become: yes
  tasks:
    - name: Install MariaDB package
      yum:
        name:
          - mariadb-server
          - MySQL-python
        state: installed

    - name: Create Mysql configuration file
      copy: src=files/my.cnf dest=/etc/my.cnf

    - name: Start MariaDB Service
      service: name=mariadb state=started enabled=yes

    - name: Start firewalld
      service: name=firewalld state=started enabled=yes

    - name: insert firewalld rule
      firewalld: port={{ mysql_port }}/tcp permanent=true state=enabled immediate=yes

    - name: Create Application Database
      mysql_db: name={{ dbname }} state=present

    - name: Create Application DB User
      mysql_user: name={{ dbuser }} password={{ dbpassword }} priv=*.*:ALL host='<YOUR_WEB_HOST_IP>' state=present

    - name: Move db-load-script to db host
      copy:
        src: files/db-load-script.sql
        dest: /tmp/db-load-script.sql

    - name: Load Inventory Data
      shell: mysql -f < /tmp/db-load-script.sql

- name: Deploy web application
  hosts: lamp-web
  become: yes
  tasks:
    - name: Install httpd and php
      yum:
        name:
          - httpd
          - php
          - php-mysql
        state: present

    - name: Install web role specific dependencies
      yum: name=git state=installed

    - name: Start firewalld
      service: name=firewalld state=started enabled=yes

    - name: insert firewalld rule for httpd
      firewalld: port={{ httpd_port }}/tcp permanent=true state=enabled immediate=yes

    - name: Set index.php as the default page
      tags: "Set index.php as the default page"
      replace:
        path: /etc/httpd/conf/httpd.conf
        regexp: 'DirectoryIndex index.html'
        replace: 'DirectoryIndex index.php'

    - name: http service state
      service: name=httpd state=started enabled=yes

    - name: Copy the code from repository
      git: repo={{ repository }} dest=/var/www/html/  force=yes

    - name: Create the index.php file
      copy: src=files/index.php dest=/var/www/html/index.php
  • Make sure to replace <YOUR_WEB_HOST_IP> with your specific Web Host IP address before saving the file.

Step 4: Run the playbook with below command

ansible-playbook -i inventory deploy-lamp-stack.yml
  • Make sure to replace the host value <YOUR-WEB-HOST-IP> in Create Application DB User task with your specific web host IP address.

Step 5: Access the web application

  • Run the below command to access the web application from CLI:
    curl <YOUR-WEB-HOST-IP>
  • Or, copy <YOUR-WEB-HOST-IP> and paste it into a web browser.

Thank you for reading!

]]><![CDATA[Monitoring Containers with Prometheus and cAdviser]]>https://blog.noweder.com/monitoring-containers-with-prometheus-and-cadviserhttps://blog.noweder.com/monitoring-containers-with-prometheus-and-cadviserFri, 01 Jul 2022 11:00:43 GMTIntroduction

In this blog, we will walk through how to monitor containers using Prometheus and cAdviser.

cAdvisor (short for container Advisor) analyzes and exposes resource usage and performance data from running containers. cAdvisor exposes Prometheus metrics out of the box. The container metrics will be collected by cAdvisor and scraped by Prometheus.

Pre-requisites

  • User with sudo privileges
  • Docker installed

Steps

Step 1

Configure Prometheus to scrape metrics from cAdvisor. Create a prometheus.yml file and paste below code:

scrape_configs:
- job_name: cadvisor
  scrape_interval: 5s
  static_configs:
  - targets:
    - cadvisor:8080

Step 2

Now, in the same directory where you have created prometheus.yml, create adocker-compose.yml file defining both prometheus and cAdviser services. Copy and paste below in the file:

version: '3'
services:
  prometheus:
    image: prom/prometheus:latest
    container_name: prometheus
    ports:
      - 9090:9090
    command:
      - --config.file=/etc/prometheus/prometheus.yml
    volumes:
      - ./prometheus.yml:/etc/prometheus/prometheus.yml
    depends_on:
      - cadvisor

  cadvisor:
    image: google/cadvisor:latest
    container_name: cadvisor
    ports:
      - 8080:8080
    volumes:
      - /:/rootfs:ro
      - /var/run:/var/run:rw
      - /sys:/sys:ro
      - /var/lib/docker:/var/lib/docker:ro

Step 3

Run docker-compose up -d to deploy the services and make it running in the background.

To verify the running containers, run docker ps. you can also access prometheus web dashboard on [your-public-ip]:9090 and cAdviser on [your-public-ip]:8080

]]><![CDATA[Build a Ghost Blog with Docker Compose]]>https://blog.noweder.com/build-a-ghost-blog-with-docker-composehttps://blog.noweder.com/build-a-ghost-blog-with-docker-composeMon, 27 Jun 2022 18:47:44 GMTIn this blog, we will create a Ghost Blog using Docker Compose.

Docker Quest - Challenge 5.png

Pre-requisites:

  • Docker pre-installed

  • User with sudo access

Steps:

Create a Docker Compose file docker-compose.yml in the root directory. You will create two services: a Ghost Blog service and a MySQL service. Below is the code:

version: "3"
services:
  ghost:
    container_name: ghost-blog
    image: ghost:1-alpine
    restart: always
    environment:
      - database__client=mysql
      - database__connection__host=mysql
      - database__connection__user=root
      - database__connection__password=P4sSw0rd0!
      - database__connection__database=ghost
    ports:
      - 80:2368
    volumes:
      - ghost-volume:/var/lib/ghost
    depends_on:
      - mysql

  mysql:
    container_name: ghost-db
    image: mysql:5.7
    restart: always
    environment:
      - MYSQL_ROOT_PASSWORD=P4sSw0rd0!
    volumes:
      - mysql-volume:/var/lib/mysql


volumes:
  ghost-volume: {}
  mysql-volume: {}

Run docker-compose up -d to deploy the defined services.

Once completed, you can run docker ps to list the deployed containers as below:

image.png

You can then access the ghost blog from your web browser using your public IP address!

]]>