파트 3 - 간단한 EC2 인스턴스 - Awesome AWS CDK

Most tutorials on AWS try to get you to deploy the world famous t2.micro instance (a small virtual server under the free usage tier on AWS) using the AWS console. You then go on to install something like Wordpress through SSH or through a user script (a script that runs when an instance is created) that you define in the AWS console.

So that's exactly what we're going to deploy. But we're going to use the AWS CDK instead.

This is what you'll learn in this tutorial:

• Bootstrapping a new CDK application
• The structure and setup of a CDK application
• How to provision and setup an ec2 instance
• How to setup terminal access to the instance via SSH key.
• How to update the ec2 instance with a user script and update the deployed cdk stack
• How to write tests for the cdk application
• How to destroy the deployed stack

Let's go!

Using your terminal, create a new directory simple-ec2 and cd into it:

mkdir simple-ec2 && cd simple-ec2

We previously setup the AWS CDK cli globally. If you haven't done that see in this series.

Bootstrap a new cdk project template that uses Typescript:

cdk init --language=typescript

This will initialize a new cdk project for you in Typescript.

• Run npm update to ensure you're using the latest version of the CDK.
• If you have version conflicts between @aws-cdk/core and other @aws-cdk sub-packages, then you'll come across some weird errors. @aws-cdk/core and every other imported @aws-cdk/PACKAGE should have the same version.

# tree -I 'node_modules'
.
├── bin
│   └── simple-ec2.ts       # entry point
├── cdk.json
├── jest.config.js          # for tests
├── lib                     # where the infrastructure code you write will go
│   └── simple-ec2-stack.ts 
├── package.json
├── package-lock.json
├── README.md
├── test                    # test folder
│   └── simple-ec2.test.ts
└── tsconfig.json

• ./bin/simple-ec2.ts is the entry point file used by the cdk. This is where you define your stack(s).
• The IaC that provisions the resources will be inside the lib folder and is required by ./bin/simple-ec2.ts during synth and deploy actions. I'll explain both commands later.
• ./test/simple-ec2.test.ts contains the template code to test your CDK application

In ./bin/simple-ec2.ts a new App() is defined and this represents a single stack.

• We can add a description for our stack in this file.
• This description will be visible in the Cloudformation console:

// ./bin/simple-ec2.ts

import 'source-map-support/register';
import * as cdk from '@aws-cdk/core';
import { SimpleEc2Stack } from '../lib/simple-ec2-stack';

const app = new cdk.App();
new SimpleEc2Stack(app, 'SimpleEc2Stack', {
   description: 'This is a simple EC2 stack'
});

Let's head over to ./lib/simple-ec2-stack.ts and see what the CDK boostrapped for us:

// ./lib/simple-ec2-stack.ts

import * as cdk from '@aws-cdk/core';

export class SimpleEc2Stack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // The code that defines your stack goes here
  }
}

As you can see, the cdk init command bootstrapped a nice template for us to get to writing our IaC fast. The base class cdk.Stack gives us the ability to create a new Cloudformation stack.

We also need to create a .env file to keep our AWS Account number and the region we will use. In the root of the project create a file called .env and add the following. Replace the xxXxXxxXXxXxx with your AWS account number and use the region you want.

AWS_ACCOUNT_NUMBER=xxXxXxxXXxXxx
AWS_ACCOUNT_REGION=us-west-2

We want to create an ec2 instance so we will need the @aws-cdk/ec2 library. (This is the same process for any other AWS service you need to provision resources). We will also need @aws-cdk/aws-iam library to give permissions to our instance to do stuff. We also want to be able to read our .env file so lets also install dotenv package

npm install @aws-cdk/aws-ec2 @aws-cdk/aws-iam dotenv

Remember, since the CDK is written in Typescript and is typed excellently, while typing you can access intellisense and see the various properties of CDK resources e.g. in the image below I can see what properties an instance of ec2.Instance() class has.

Before we try to deploy our newly created instance, we need to go to the AWS console and create a key pair that we will use to access the instance called simple-instance-1-key

• Log into the AWS console.
• Go to EC2 dashboard.
• Go to Key Pairs and click create Key Pair
• Enter key name as simple-instance-1-key and click create
• Your new key pair will be created and your browser will automatically download a new .pem file called simple-instance-1-key.pem
• this is the key file you'll use to gain access to your instance via SSH

Remember we set up our aws profiles and crednetials in ~/.aws/config and ~/.aws/credentials back in

I will be deploying to my default profile which is linked to my personal AWS account with the region us-west-2 .

If you have another profile you want to use then in the commands below use that profile name instead of default .

In your terminal:

cdk synth --profile default

This command will synthesize your stack.

When CDK apps are executed, they produce (or “synthesize”, in CDK parlance) an AWS CloudFormation template for each stack defined in your application.

• Essentially it will print the cloudformation template for your stack to your console.
• It's a good way to check that there's nothing wrong with your stack before trying to deploy since cdk synth will verify the resources you are trying to provision can actually be provisioned.
• You should something like this:

❯ cdk synth --profile default
Resources:
  simpleinstance1role9EEDA67C:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
        Version: "2012-10-17"
   ...
   ...
   ...

If the entire stack prints without error then you're okay to go.

Now we can deploy:

cdk deploy --profile default

Let's ssh into our newly created instance with our key file and the public ip address.

Note: that the default user for AMAZON LINUX images is ec2-user

ssh -i ~/.aws/pems/simple-instance-1-key.pem [email protected]

• Let's create a new file under ./lib/ directory called user_script.sh . Paste this code into that file.
• This code will deploy Apache, Wordpress, Mysql server on this intance. In this script, the database password will be pl55w0rd .
• It's very insecure to add passwords to scripts but in this case I'm doing this just for demonstration purposes.
• In production you should first of all never use such a weak password and secondly, not inside such a script.
• Rather, you should deploy the Mysql database on AWS RDS and setup credentials for that database using AWS Secrets Manager.

Here's the setup file:

#! /bin/bash
# become root user
sudo su

# update dependencies
yum -y update

# we'll install 'expect' to input keystrokes/y/n/passwords
yum -y install expect 

# Install Apache
yum -y install httpd

# Start Apache
service httpd start

# Install PHP
yum -y install php php-mysql
# php 7 needed for latest wordpress
amazon-linux-extras -y install php7.2 

# Restart Apache
service httpd restart

# Install MySQL
wget http://repo.mysql.com/mysql-community-release-el7-5.noarch.rpm
rpm -ivh mysql-community-release-el7-5.noarch.rpm

yum -y update 
yum -y install mysql-server

# Start MySQL
service mysqld start

# Create a database named blog
mysqladmin -uroot create blog

# Secure database
# non interactive mysql_secure_installation with a little help from expect.

SECURE_MYSQL=$(expect -c "

set timeout 10
spawn mysql_secure_installation

expect \"Enter current password for root (enter for none):\"
send \"\r\"

expect \"Change the root password?\"
send \"y\r\"
expect \"New password:\"
send \"pl55w0rd\r\"
expect \"Re-enter new password:\"
send \"pl55w0rd\r\"
expect \"Remove anonymous users?\"
send \"y\r\"

expect \"Disallow root login remotely?\"
send \"y\r\"

expect \"Remove test database and access to it?\"
send \"y\r\"

expect \"Reload privilege tables now?\"
send \"y\r\"

expect eof
")

echo "$SECURE_MYSQL"

# Change directory to web root
cd /var/www/html

# Download Wordpress
wget http://wordpress.org/latest.tar.gz

# Extract Wordpress
tar -xzvf latest.tar.gz

# Rename wordpress directory to blog
mv wordpress blog

# Change directory to blog
cd /var/www/html/blog/

# Create a WordPress config file 
mv wp-config-sample.php wp-config.php

#set database details with perl find and replace
sed -i "s/database_name_here/blog/g" /var/www/html/blog/wp-config.php
sed -i "s/username_here/root/g" /var/www/html/blog/wp-config.php
sed -i "s/password_here/pl55w0rd/g" /var/www/html/blog/wp-config.php

# create uploads folder and set permissions
mkdir wp-content/uploads
chmod 777 wp-content/uploads

#remove wp file
rm -rf /var/www/html/latest.tar.gz

We will need to add fs module at the top of our ./lib/simple-ec2-stack.ts file since instance.addUserData() needs to access the file system during deployment.

import * as cdk from '@aws-cdk/core'
import * as ec2 from '@aws-cdk/aws-ec2' // import ec2 library 
import * as iam from '@aws-cdk/aws-iam' // import iam library for permissions

// lets include fs module
import * as fs from 'fs'

Then we can the function instance.addUserData() right before our output function:

...

    // add user script to instance
    // this script runs when the instance is started 
    instance.addUserData(
      fs.readFileSync('lib/user_script.sh', 'utf8')
    )

    // cdk lets us output prperties of the resources we create after they are created
    // we want the ip address of this new instance so we can ssh into it later
    new cdk.CfnOutput(this, 'simple-instance-1-output', {
      value: instance.instancePublicIp
    })
...

Let's re-synthesize to check everything is okay:

cdk --synth --profile default

• You should now see the user script commands in the synth output
• Let's deploy our new changes.
• Cloudformation will only update resources that are being updated.
• In this case, only ec2 instance is being updated.
• Other things like roles and security groups will remain as they are since there are no changes to them in the updated stack.

cdk --deploy --profile default

Well we know our CDK code works and can provision an ec2 instance to run our Wordpress server and database. Good.

But how can we make sure that changes to the CDK code do not do what we don't want it to do?

This is where tests come in.

• I do not want any instance other t2.micro to be used as my server instance type because I always want to remain under AWS free tier usage for EC2. Let's ensure that.
• I want to ensure that my instance uses the SSH key with the name simple-instance-1-key

To accomplish this, we change the code inside the file ./test/simple-ec2.test.ts to:

import { expect as expectCDK, haveResourceLike } from '@aws-cdk/assert';
import * as cdk from '@aws-cdk/core';
import * as SimpleEc2 from '../lib/simple-ec2-stack';

test('Check InstanceType and SSH KeyName', () => {
    const app = new cdk.App();
    const stack = new SimpleEc2.SimpleEc2Stack(app, 'MyTestStack');

    expectCDK(stack).to(
      haveResourceLike('AWS::EC2::Instance', {
        InstanceType: 't2.micro',
        KeyName: 'simple-instance-1-key'
      })
    )
});

As you can see from the test code, the test will check the generated Cloudformation template generated by the CDK.

In our case we want to check that the instance is a t2.micro and that it uses the SSH key simple-instance-1-key . These are two crucial properties to us.

If you would like to destroy the infrastructure you just provisioned, it's as simple as:

cdk destroy --profile default

And Cloudformation will remove your entire stack!

The AWS CDK makes writing IaC, provisioning, deploying, updating and destroying infrastructure very painless. You can write tests to make sure you do not deploy the wrong things.

This was a simple example and may seem quite a lot just to deploy an ec2 instance. However, as we progress through the series, you will realize how its very beneficial to complex infrastructure.

In part 4, using the CDK, we will make our Wordpress server more more production ready. We will:

• create AWS RDS Mysql database instead of running the database on the ec2 instance
• provision this database in an isolated subnet to keep it secure from the public Internet
• use AWS SSM to access our instance instead of an SSH key and gain all the benefits of IAM permissions/roles
• deploy an Application Load Balancer
• Create our EC2 instance with better/more advanced script
• Place the Wordpress instance in an AutoScaling Group