1 of 5

AWS

Provision infra for DIGIT on AWS using Terraform

Topics covered:

AWS deployment basics
Pre-reads before deployment
Steps to install

Overview

Amazon Elastic Kubernetes Service (EKS) is an AWS service for deploying, managing, and scaling distributed and containerized workloads. With EKS, you can easily provision a cluster on AWS using Terraform, which automates the process. Then, deploy the DIGIT services configuration using Helm.

Pre-reads

Know about EKS: https://www.youtube.com/watch?v=SsUnPWp5ilc
Know what is terraform: https://youtu.be/h970ZBgKINg

Installation Steps

1. Pre-requisites

Find the pre-requisites for deploying DIGIT platform services on AWS

Topics covered:

Pre-requisites to check before deployment

Pre-requisites

AWS account with admin access to provision infrastructure. You will need a paid subscription to the AWS.
Install kubectl (any version) on the local machine - it helps interact with the Kubernetes cluster.
Install Helm - this helps package the services, configurations, environments, secrets, etc into Kubernetes manifests. Verify that the installed version of helm is equal to 3.0 or higher.

// command to check helm version
helm version

Install tfswitch - to run different versions of Terraform on the machine. tfswitch supports multiple terraform versions on the same machine and you can toggle between the desired versions.

// On Mac
brew install warrensbox/tap/tfswitch

// On Linux
curl -L https://raw.githubusercontent.com/warrensbox/terraform-switcher/master/install.sh -o install.sh
sudo bash install.sh

Refer to tfswitch documentation for different platforms. Terraform version 0.14.10 can be installed directly as well.

5. Run tfswitch and it will show a list of terraform versions. Scroll down and select terraform version (0.14.10) for the Infra-as-code (IaC) to provision cloud resources as code. This provides the desired resource graph and helps destroy the cluster in one go.

// On Linux
sudo apt-get update && sudo apt-get install -y gnupg software-properties-common
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt-get update && sudo apt-get install terraform

// On Mac
brew tap hashicorp/tap
brew install hashicorp/tap/terraform

Install Golang

For Linux: Follow the instructions here to install Golang on Linux.
For Windows: Download the installer using the link here and follow the installation instructions.
For Mac: Download the installer using the link here and follow the installation instructions.

Install cURL - for making API calls
Install Visual Studio Code - for better code visualization/editing capabilities
Install Postman - to run digit bootstrap scripts
Install AWS CLI

2. Setup AWS Account

Steps to setup the AWS account for deployment

Topics covered:

Pre-requisites to setting up the AWS account
Get access to the AWS account

Overview

Follow the details below to set up your AWS account before you proceed with the DIGIT deployment.

Get AWS Access

Public Users

Sign up for the AWS account if you do not already have one. Use this link to get started
Assign Administrator Access to the IAM user for necessary permissions.
Use the AWS IAM User credentials provided for the Terraform (Infra-as-code) to connect with your AWS account and provision the cloud resources.
The system will generate a Secret Access Key and Access Key ID. Save the keys.
Open the terminal. Run the following command you have installed on the AWS CLI and use the credentials. (Provide the credentials and leave the region and output format blank).

Note: Make sure the profile name provided in the commands below is also used in the Terraform scripts same as the AWS profile.

aws configure --profile digit-quickstart-poc 

AWS Access Key ID []:<Your access key>
AWS Secret Access Key []:<Your secret key>
Default region name []: ap-south-1
Default output format []: text

// Setting profile
export AWS_PROFILE=digit-quickstart-poc

The above will create the following file in your machine under the user home directory. /path/to/user/home/.aws/credentials

[digit-quickstart-poc] 
aws_access_key_id=*********** 
aws_secret_access_key=*************************

Once the command line access is configured, everything is set to proceed with the terraform to provision the DIGIT Infra-as-code.

3. Provision Infrastructure

Overview

The image below illustrates the multiple components deployed. These include the EKS, Worker Nodes, Postgres DB, EBS Volumes, and Load Balancer.

Steps

Clone the DIGIT-DevOps repository:

Navigate to the cloned repository and checkout the release-1.28-Kubernetes branch:

Choose either method below to generate SSH key pairs
- b. Use openssl:

Open input.yaml file in vscode. Use the below code to open it in VS code:
code infra-as-code/terraform/sample-aws/input.yaml
If the command does not work, open the file in VS code manually. Once the file is open, fill in the inputs. (If you are not using vscode, open it in any editor of your choice).
Fill in the inputs as per the regex mentioned in the comments.
Go to infra-as-code/terraform/sample-aws and run init.go script to enrich different files based on input.yaml.

Terraform Execution: Infrastructure Resources Provisioning

Once we are complete declaring the resources, begin with deploying all resources.

Run the terraform scripts to provision infra required to Deploy DIGIT on AWS.

CD (change directory) to the following directory and run the below commands to create the remote state.

Once the remote state is created, it is time to provision DIGIT infra. Run the below commands:

Important:

DB password is asked for in the application stage. Remember the password you have provided. It should be at least 8 characters long. Otherwise, RDS provisioning will fail.
The output of the apply command will be displayed on the console. Store this in a file somewhere. Values from this file will be used in the next step of deployment.

3. Verify that you can connect to the cluster by running the following command

At this point, your basic infra has been provisioned.

Destroying Infra

To destroy the previously created infrastructure with Terraform, run the command below:

ELB is not deployed via Terraform. ELB was created at deployment time by the setup of Kubernetes Ingress. This has to be deleted manually by deleting the ingress service.
- kubectl delete deployment nginx-ingress-controller -n <namespace>
- kubectl delete svc nginx-ingress-controller -n <namespace>
  Note: Namespace can be either egov or jenkins.
Delete S3 buckets manually from the AWS console and verify if ELB got deleted.
Run terraform destroy.

Sometimes all artefacts associated with a deployment cannot be deleted through Terraform. For example, RDS instances might have to be deleted manually. It is recommended to log in to the AWS management console and look through the infra to delete any remnants.

FAQ

If you have any questions please write to us.

Make sure to use the appropriate discussion category and labels to address the issues better.

Discussion Board

2. Setup AWS Account

Steps to setup the AWS account for deployment

Topics covered:

Pre-requisites to setting up the AWS account
Get access to the AWS account

Overview

Follow the details below to set up your AWS account before you proceed with the DIGIT deployment.

Get AWS Access

Public Users

Sign up for the AWS account if you do not already have one. Use this link to get started
Assign Administrator Access to the IAM user for necessary permissions.
Use the AWS IAM User credentials provided for the Terraform (Infra-as-code) to connect with your AWS account and provision the cloud resources.
The system will generate a Secret Access Key and Access Key ID. Save the keys.
Open the terminal. Run the following command you have installed on the AWS CLI and use the credentials. (Provide the credentials and leave the region and output format blank).

Note: Make sure the profile name provided in the commands below is also used in the Terraform scripts same as the AWS profile.

aws configure --profile digit-quickstart-poc 

AWS Access Key ID []:<Your access key>
AWS Secret Access Key []:<Your secret key>
Default region name []: ap-south-1
Default output format []: text

// Setting profile
export AWS_PROFILE=digit-quickstart-poc

The above will create the following file in your machine under the user home directory. /path/to/user/home/.aws/credentials

[digit-quickstart-poc] 
aws_access_key_id=*********** 
aws_secret_access_key=*************************

Once the command line access is configured, everything is set to proceed with the terraform to provision the DIGIT Infra-as-code.

1. Pre-requisites

Find the pre-requisites for deploying DIGIT platform services on AWS

Topics covered:

Pre-requisites to check before deployment

Pre-requisites

AWS account with admin access to provision infrastructure. You will need a paid subscription to the AWS.
Install kubectl (any version) on the local machine - it helps interact with the Kubernetes cluster.
Install Helm - this helps package the services, configurations, environments, secrets, etc into Kubernetes manifests. Verify that the installed version of helm is equal to 3.0 or higher.

// command to check helm version
helm version

Install tfswitch - to run different versions of Terraform on the machine. tfswitch supports multiple terraform versions on the same machine and you can toggle between the desired versions.

// On Mac
brew install warrensbox/tap/tfswitch

// On Linux
curl -L https://raw.githubusercontent.com/warrensbox/terraform-switcher/master/install.sh -o install.sh
sudo bash install.sh

Refer to tfswitch documentation for different platforms. Terraform version 0.14.10 can be installed directly as well.

// On Linux
sudo apt-get update && sudo apt-get install -y gnupg software-properties-common
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt-get update && sudo apt-get install terraform

// On Mac
brew tap hashicorp/tap
brew install hashicorp/tap/terraform

Install Golang

For Linux: Follow the instructions here to install Golang on Linux.
For Windows: Download the installer using the link here and follow the installation instructions.
For Mac: Download the installer using the link here and follow the installation instructions.

Install cURL - for making API calls
Install Visual Studio Code - for better code visualization/editing capabilities
Install Postman - to run digit bootstrap scripts
Install AWS CLI

3. Provision Infrastructure

Overview

The image below illustrates the multiple components deployed. These include the EKS, Worker Nodes, Postgres DB, EBS Volumes, and Load Balancer.

Steps

Clone the DIGIT-DevOps repository:

git clone https://github.com/egovernments/DIGIT-DevOps.git

Navigate to the cloned repository and checkout the release-1.28-Kubernetes branch:

cd DIGIT-DevOps 
git checkout release-1.28-kubernetes

Check if the correct credentials are configured using the command below. Refer to the attached doc to on the local machine.

aws configure list

Make sure that the above command reflects the set AWS credentials. Proceed once the details are confirmed. (If the credentials are not set follow Step 2 )

Choose either method below to generate SSH key pairs
- a. Use an online website (not recommended in a production setup. To be only used for demo setups):
- b. Use openssl:

openssl genpkey -algorithm RSA -out private_key.pem openssl rsa -pubout -in private_key.pem -out public_key.pem

Add the public key to your .
Open input.yaml file in vscode. Use the below code to open it in VS code:
code infra-as-code/terraform/sample-aws/input.yaml
If the command does not work, open the file in VS code manually. Once the file is open, fill in the inputs. (If you are not using vscode, open it in any editor of your choice).
Fill in the inputs as per the regex mentioned in the comments.
Go to infra-as-code/terraform/sample-aws and run init.go script to enrich different files based on input.yaml.

cd infra-as-code/terraform/sample-aws 
go run ../scripts/init.go

Terraform Execution: Infrastructure Resources Provisioning

Once we are complete declaring the resources, begin with deploying all resources.

Run the terraform scripts to provision infra required to Deploy DIGIT on AWS.

CD (change directory) to the following directory and run the below commands to create the remote state.

### Create the remote-state first, remember that the state name should be unique
### You may need to use sudo incase you don't have requisite permission

cd remote-state

terraform init

terraform plan

terraform apply

Once the remote state is created, it is time to provision DIGIT infra. Run the below commands:

### Once the remote state is created, you can create the DIGIT Infra

cd ..

terraform init

terraform plan

terraform apply

Important:

DB password is asked for in the application stage. Remember the password you have provided. It should be at least 8 characters long. Otherwise, RDS provisioning will fail.
The output of the apply command will be displayed on the console. Store this in a file somewhere. Values from this file will be used in the next step of deployment.

2. Use this link to for the cluster. The region code is the default region provided in the availability zones in variables.tf. For example - ap-south-1. EKS cluster name also should've been filled in variables.tf.

aws sts get-caller-identity

# Run the below command and give the respective region-code and the cluster name
aws eks --region <region-code> update-kubeconfig --name <cluster_name>

3. Verify that you can connect to the cluster by running the following command

kubectl config use-context <cluster_name>

kubectl get nodes

NAME                                             STATUS AGE   VERSION               OS-Image           
ip-192-168-xx-1.ap-south-1.compute.internal   Ready  45d   v1.15.10-eks-bac369   Amazon Linux 2   
ip-192-168-xx-2.ap-south-1.compute.internal   Ready  45d   v1.15.10-eks-bac369   Amazon Linux 2   
ip-192-168-xx-3.ap-south-1.compute.internal   Ready  45d   v1.15.10-eks-bac369   Amazon Linux 2   
ip-192-168-xx-4.ap-south-1.compute.internal   Ready  45d   v1.15.10-eks-bac369   Amazon Linux 2

At this point, your basic infra has been provisioned.

Note: Refer to thedocumentation to deploy DIGIT services.

Destroying Infra

To destroy the previously created infrastructure with Terraform, run the command below:

ELB is not deployed via Terraform. ELB was created at deployment time by the setup of Kubernetes Ingress. This has to be deleted manually by deleting the ingress service.
- kubectl delete deployment nginx-ingress-controller -n <namespace>
- kubectl delete svc nginx-ingress-controller -n <namespace>
  Note: Namespace can be either egov or jenkins.
Delete S3 buckets manually from the AWS console and verify if ELB got deleted.
- In case of if ELB is not deleted, you need to delete ELB from the .
Run terraform destroy.