π AWS and Terraform in Action: Build Your First IIS Web Server on EC2
francotel
Posted on September 6, 2024
π Introduction
In this post, I will show you how to deploy an IIS web server on a Windows EC2 instance using Terraform on AWS. This project will help you improve your skills in AWS and Terraform and show your automation skills, which are highly valued by recruiters and DevOps teams. Letβs build together!
π― Project Goal
- Create a VPC with a public subnet.
- Deploy a Windows Server EC2 instance.
- Install and configure IIS automatically using a script in the user data.
- Automate everything with Terraform.
π Why This Project is Important
- π§ DevOps Skills: Show your skills with Infrastructure as Code (IaC).
- βοΈ AWS Knowledge: Learn how to work with key AWS services like EC2 and VPC.
- π§βπ» Automation and Scripts: Use user data to set up your IIS server automatically, a key in deployment automation.
π Steps to Implement
1. π οΈ Prerequisites
- Have an AWS account set up.
- Install Terraform on your computer.
- Set up your AWS credentials.
2. ποΈ Create the VPC and Public Subnet
- Define the code block for the VPC and the subnet in Terraform.
- Make sure the subnet is public, with a route table that points to an internet gateway.
# DefiniciΓ³n de la primera VPC
module "networking" {
source = "terraform-aws-modules/vpc/aws"
version = "5.13.0"
name = "vpc-${var.project}-${var.env}"
cidr = var.vpcs["main_vpc"].cidr
azs = slice(data.aws_availability_zones.available.names, 0, 2)
public_subnets = var.vpcs["main_vpc"].public_subnets
enable_dns_hostnames = true
enable_dns_support = true
map_public_ip_on_launch = true
public_subnet_tags = {
subnet-tag = "public-subnet-${var.project}-1"
}
}
3. π₯οΈ Set Up the EC2 with Windows Server
- Define the EC2 instance in Terraform with the Windows Server AMI.
- Make sure the instance is in the public subnet.
module "ec2_win" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "5.6.1"
name = "ec2-${var.project}-${var.env}"
ami = data.aws_ami.windows-2022.id
ignore_ami_changes = false
instance_type = "t3a.micro"
subnet_id = element(module.networking.public_subnets, 0)
vpc_security_group_ids = [aws_security_group.ec2_sg.id] #[module.security_group.security_group_id]
user_data = file("./scripts/userdata.tpl")
user_data_replace_on_change = true
create_iam_instance_profile = true
iam_role_description = "IAM role for EC2 instance"
iam_role_policies = {
AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
AdministratorAccess = "arn:aws:iam::aws:policy/AdministratorAccess"
}
metadata_options = {
http_tokens = "required"
}
}
4. π Install IIS Using User Data
- Use a PowerShell script in the EC2 user data to install IIS.
How to Run the Project
- Clone the repository:
git clone https://github.com/francotel/aws-ec2-iis-terraform
cd aws-ec2-iis-terraform
Review the outputs to connect EC2 instance by Remote Desktop
output "win_id" {
value = module.ec2_win.id
}
output "win_public_ip" {
value = module.ec2_win.public_ip
}
output "ssm_command_win_pwd_reset" {
value = "aws ssm start-session --target ${module.ec2_win.id} --document-name 'AWS-PasswordReset' --parameters username='Administrator' --region ${local.aws_region} --profile SET-AWS-PROFILE"
}
output "ssm_command_win_port_forward" {
value = "aws ssm start-session --target ${module.ec2_win.id} --document-name 'AWS-StartPortForwardingSession' --parameters portNumber='3389',localPortNumber='53389' --region ${local.aws_region} --profile SET-AWS-PROFILE"
}
output "rdp_win_fqdn" {
value = "localhost:53389"
}
output "rdp_win_user" {
value = "Administrator"
}
Change password:
aws ssm start-session --target i-0b216e8330fa8ab0f --document-name 'AWS-PasswordReset' --parameters username='Administrator' --region us-west-1 --profile SET-AWS-PROFILE
Starting session with SessionId: fnavarro-6foslmckrylp2hbv7farhe2qsm
This session is encrypted using AWS KMS.
Type a password for the user:
Retype the password to confirm:
The command completed successfully.
Open port forward:
aws ssm start-session --target i-0b216e8330fa8ab0f --document-name 'AWS-StartPortForwardingSession' --parameters portNumber='3389',localPortNumber='53389' --region us-west-1 --profile SET-AWS-PROFILE
Starting session with SessionId: fnavarro-zzngnhfvgs5i6jxvalab4sthkm
Port 53389 opened for sessionId fnavarro-zzngnhfvgs5i6jxvalab4sthkm.
Waiting for connections...
Exiting session with sessionId: fnavarro-6foslmckrylp2hbv7farhe2qsm.
π Security Enhancements and Recommendations
One of the key improvements in this setup is the ability to access the Windows server via Remote Desktop (RDP) using AWS Systems Manager (SSM). This approach eliminates the need to expose RDP ports to the internet, making the connection more secure. Below are the critical configurations and recommendations:
π₯οΈ Accessing Remote Desktop via SSM: By using SSM, you can securely connect to your EC2 instance without opening RDP ports. Make sure you have the SSM agent installed and configured correctly on your instance.
π KMS for Encryption: AWS Key Management Service (KMS) is used to encrypt the data traffic when accessing the instance. Ensure that your instance is properly configured to use KMS keys for added security.
π EC2 Instance Role with Administrator Access: Currently, the EC2 instance is using a role with Administrator Access for testing purposes. For production environments, it's highly recommended to use a more restricted role with the minimum necessary permissions.
Security Best Practices:
- Limit Access: Restrict permissions in the IAM role to what is strictly necessary for the EC2 instance to function.
- Use KMS Keys: Ensure data is encrypted in transit by properly configuring KMS.
- Audit and Monitor: Regularly review IAM policies and monitor access to maintain a secure environment.
β οΈ Final Recommendations
Before finishing, it's important to highlight a few key points to keep your setup secure and ready for production:
π Security Group Settings: The current security group is open for testing purposes. Do not use this configuration in production. You should restrict inbound rules to allow access only from trusted IP addresses.
π Windows User Management: The default Windows user password needs to be reset after the instance is launched. Ensure to set a strong, unique password before using the server.
π₯οΈ Accessing the Server: Instead of using direct RDP (Remote Desktop Protocol) access, it's recommended to connect through AWS Systems Manager (SSM). This method is more secure as it avoids exposing RDP ports to the internet.
π Harden the Instance: Consider implementing additional security measures, like disabling unnecessary services, applying the latest updates, and setting up proper monitoring.
These steps will help you keep your server secure and compliant with best practices.
For more information and a detailed guide, please check the complete code on GitHub: aws-ec2-iis-terraform
π’ Follow Me and Support!
If you find this repository useful and want to see more content like this, follow me on LinkedIn to stay updated on more projects and resources!
If youβd like to support my work, you can buy me a coffee. Thank you for your support!
Posted on September 6, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.