Open in app

Sign in

Write

Sign in

Building a CI/CD Pipeline w/ Terraform Cloud: and Deploying IAM Users

Bmwitcher
6 min readAug 8, 2020

--

Part 1: Deploying IAM Users

Today you have 5 new employees starting in your organization. It is your job to create IAM user profiles with password policies, and permission policies. We will be using Terraform Cloud to store our environment variables and deploy the infrastructure to AWS.

First lets set up and log in in to Terraform Cloud…once logged in let’s navigate to https://app.terraform.io/session?utm_source=docs_banner

Once you are signed in next we will create a new organization specifically for this lab

The first step Terraform Cloud walks you through is to create a workspace, which involves linking to a VCS (Version Control System) like GitHub

Next under connect to a VCS provider click on the icon below and then click on Github.com (option 1). If you do not have a Github I suggest you create a separate tab and do so, it is almost mandatory for storing code in a repository.

Once you have connected your Github you will go through several prompts make sure to disable the pop-up blocker for this website and it should let you process.

Next, I renamed the workspace to terraform IAMlab.

Next, we will need to configure the variables. Here we will grab the ACCESS_KEY and SECRET_ID from our AWS environment and store them here. Terraform cloud encrypts these variables for security.

The top three key-values above should be self-explanatory for AWS users however variables #4 will allow us to destroy our infrastructure that we will apply to our AWS environment. The default region prevents us from having to create a configuration file specifying our default region (although it can be done that way as well).

Now that we have prepared our terraform cloud environment lets now view the terraform config files that we will use to deploy our 5 new employees that will be starting in our organization today.

First, let’s take a look at our variable that will assist us in naming our 5 new employees

https://raw.githubusercontent.com/bmwitcher/tfcloudlab/master/variables.tf

We will use the element function feature to pull the custom names for each of the resources that we will create in our AWS cloud environment. Let’s take a look at the configuration file. Prior to you looking at the file I want to preface that you can also pull values from a file like below by using modules. However here you can change the names of a small number of employees and have it automate the process for you.

https://raw.githubusercontent.com/bmwitcher/tfcloudlab/master/iam.tf

(There is still a PGP/GPG key error on this file that is commented out…any advice or help on this error would be greatly appreciated)

Looking at the file you can see that we are creating 5 IAM users with password policies also requiring them to reset the password ( i hit a snag here I am still working out but will update it once I figure it out 🤦🏾‍♂️), and assigning an EC2 full access permission policy.

Lets now prompt Terraform Cloud and see if the ‘plan’ function gives us any errors or lets us provision the infrastructure.

Now that we see all of our resources including our policies attached to each user we can click on apply and run at the bottom of the screen and check our AWS account to ensure everything was automatically deployed in our account.

Before we do that, let me give a slight back story to this project. I received a lot of error AFTER the terraform plan stage 😂. I’ve learned when terraform prompts IAM to create your users, then create the access keys for each user it may sometimes give you an error of a failure to create your access keys for specific users. In my case, it errored on 2 of my 5 users. I researched for days and then while sitting on the couch about 10 minutes ago I thought to try the project again locally and ran terraform apply for a second after receiving the error and there went the successful creation of the additional IAM access keys for the remainder of the users. Before doing that I carefully read through the creation of the resources and realized the users were being created out of order and the IAM access keys being generated before the users were created causing the error. That’s when I thought about running terraform apply again to create the additional resources that errored in the previous step. The below screenshots will show the progress after apply in Terraform Cloud and AWS.

(As soon as I logged in, after updating my files in Github, Terraform Cloud automatically started the plan. This step is symbolic of a CI/CD pipeline. As your teams push new and updated code/content to git hub Terraform Cloud deploys and implements the changes) #Excitingstuff

(Above are the errors you will see I received two days ago)

(After the first Terraform apply, I received this error most likely due to the lag in the creation of the IAM user from Terraform to AWS.)

(Here we are seeing the additional resources the failed in the previous step, creating with no additional changes to the code just an additional terraform apply command)

(Above we see one of our 5 users in IAM created, along with the Access Key ID)

(Our user policy also made it over to AWS as well)

There you have it…Terraform Cloud utilizing Github code repositories for a CI/CD deployment to your/your organization’s AWS account.

Destroying our Infrastructure in Terraform Cloud…is quite simple being that we have our environment variable set.

(you will receive another error here, return to the Destruction and Deletion tab) and confirm and apply and you will see the additional 2 resources be destroyed, check AWS to confirm)

--

--

Bmwitcher
Bmwitcher

Written by Bmwitcher

424 Followers
59 Following

DevSecOps Professional — AWS Certified DevOps Professional/Security Specialty/SA Pro, Gitlab Certified, Terraform Associate GCP-ACE Certfied and more…

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams