Service Catalog Version 0.96.9Last updated in version 0.96.1

EC2 Instance

View SourceRelease Notes

Overview

This service creates a single EC2 instance that includes server hardening, IAM role, EIP (optional), EBS Volume (optional), and CloudWatch metrics, logs, and alerts. Note that a single EC2 instance can be a single point of failure, so if you want to run multiple EC2 instances for high availability and scalability, see the asg-service.

Features

• Build an AMI to run on the EC2 instance
• Create EC2 instance for the host
• Allocate an optional Elastic IP Address (EIP) and an associated DNS record
• Create an IAM Role and IAM instance profile
• Create a security group to manage ingress and egress traffic on desired ports
• Harden the OS by installing fail2ban, ntp, auto-update, ip-lockdown, and more
• Send all logs and metrics to CloudWatch
• Configure alerts in CloudWatch for CPU, memory, and disk space usage
• Manage SSH access with IAM groups using ssh-grunt
• Create and mount optional EBS volumes
• Allow ingress traffic on desired ports

Learn

note

This repo is a part of the Gruntwork Service Catalog, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Service Catalog before, make sure to read How to use the Gruntwork Service Catalog!

Core concepts

• How do I update my instance?
• How do I use User Data?
• How do I mount an EBS volume?

The EC2 Instance AMI

The EC2 Instance AMI is defined using the Packer template at ec2-instance.json. This template configures the AMI to:

1. Run the ssh-grunt module so that developers can upload their public SSH keys to IAM and use those SSH keys, along with their IAM user names, toSSH to the EC2 instance.

2. Run the auto-update module so that the EC2 instance installs security updates automatically.

3. Optionally run the syslog module to automatically rotate and rate limit syslog so that the EC2 instance doesn’t run out of disk space from large volumes of logs.

Deploy

Non-production deployment (quick start for learning)

If you just want to try this repo out for experimenting and learning, check out the following resources:

• examples/for-learning-and-testing folder: The examples/for-learning-and-testing folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage).

Production deployment

If you want to deploy this repo in production, check out the following resources:

• examples/for-production folder: The examples/for-production folder contains sample code optimized for direct usage in production. This is code from the Gruntwork Reference Architecture, and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog, configure CI / CD for your apps and infrastructure.

Reference

Inputs

Required

allow_port_from_cidr_blocksmap(object(…))required

Accept inbound traffic on these port ranges from the specified CIDR blocks

Type Details

map(object({
    from_port   = number
    to_port     = number
    protocol    = string
    cidr_blocks = list(string)
  }))

allow_port_from_security_group_idsmap(object(…))required

Accept inbound traffic on these port ranges from the specified security groups

Type Details

map(object({
    from_port                = number
    to_port                  = number
    protocol                 = string
    source_security_group_id = string
  }))

allow_ssh_from_cidr_blockslist(string)required

Accept inbound SSH from these CIDR blocks

allow_ssh_from_security_group_idslist(string)required

Accept inbound SSH from these security groups

amistringrequired

The AMI to run on the EC2 instance. This should be built from the Packer template under ec2-instance.json. One of ami or ami_filters is required. Set to null if looking up the ami with filters.

ami_filtersobject(…)required

Properties on the AMI that can be used to lookup a prebuilt AMI for use with the EC2 instance. You can build the AMI using the Packer template ec2-instance.json. Only used if ami is null. One of ami or ami_filters is required. Set to null if passing the ami ID directly.

Type Details

object({
    # List of owners to limit the search. Set to null if you do not wish to limit the search by AMI owners.
    owners = list(string)

    # Name/Value pairs to filter the AMI off of. There are several valid keys, for a full reference, check out the
    # documentation for describe-images in the AWS CLI reference
    # (https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-images.html).
    filters = list(object({
      name   = string
      values = list(string)
    }))
  })

dns_zone_is_privateboolrequired

Specify whether we're selecting a private or public Route 53 DNS Zone

ebs_volumesanyrequired

The EBS volumes to attach to the instance. This must be a map of key/value pairs.

Type Details

Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo.

instance_typestringrequired

The type of instance to run for the EC2 instance

namestringrequired

The name of the EC2 instance and the other resources created by these templates

route53_lookup_domain_namerequired

The domain name to use to look up the Route 53 hosted zone. Will be a subset of fully_qualified_domain_name: e.g., my-company.com. Only one of route53_lookup_domain_name or route53_zone_id should be used.

route53_zone_idstringrequired

The ID of the hosted zone to use. Allows specifying the hosted zone directly instead of looking it up via domain name. Only one of route53_lookup_domain_name or route53_zone_id should be used.

subnet_idstringrequired

The ID of the subnet in which to deploy the EC2 instance. Must be a subnet in vpc_id.

vpc_idstringrequired

The ID of the VPC in which to deploy the EC2 instance.

Optional

additional_security_group_idslist(string)optional

A list of optional additional security group ids to assign to the EC2 instance.

Default:[]

alarms_sns_topic_arnlist(string)optional

The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications.

Default:[]

attach_eipbooloptional

Determines if an Elastic IP (EIP) will be created for this instance.

Default:true

base_domain_name_tagsmap(string)optional

Tags to use to filter the Route 53 Hosted Zones that might match the hosted zone's name (use if you have multiple public hosted zones with the same name)

Default:{}

cloud_init_partsmap(object(…))optional

Cloud init scripts to run on the EC2 instance while it boots. See the part blocks in https://www.terraform.io/docs/providers/template/d/cloudinit_config.html for syntax.

Type Details

map(object({
    filename     = string
    content_type = string
    content      = string
  }))

Default:{}

cloudwatch_log_group_kms_key_idstringoptional

The ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for encrypting log data.

Default:null

cloudwatch_log_group_retention_in_daysnumberoptional

The number of days to retain log events in the log group. Refer to https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#retention_in_days for all the valid values. When null, the log events are retained forever.

Default:null

cloudwatch_log_group_tagsmap(string)optional

Tags to apply on the CloudWatch Log Group, encoded as a map where the keys are tag keys and values are tag values.

Default:null

create_dns_recordbooloptional

Set to true to create a DNS record in Route53 pointing to the EC2 instance. If true, be sure to set fully_qualified_domain_name.

Default:true

default_userstringoptional

The default OS user for the EC2 instance AMI. For AWS Ubuntu AMIs, which is what the Packer template in ec2-instance.json uses, the default OS user is 'ubuntu'.

Default:"ubuntu"

dns_ttlnumberoptional

DNS Time To Live in seconds.

Default:300

ebs_optimizedbooloptional

If true, the launched EC2 Instance will be EBS-optimized.

Default:true

enable_cloudwatch_alarmsbooloptional

Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using alarms_sns_topic_arn.

Default:true

enable_cloudwatch_log_aggregationbooloptional

Set to true to send logs to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/logs/cloudwatch-log-aggregation-scripts to do log aggregation in CloudWatch.

Default:true

enable_cloudwatch_metricsbooloptional

Set to true to add IAM permissions to send custom metrics to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/metrics/cloudwatch-memory-disk-metrics-scripts to get memory and disk metrics in CloudWatch for your EC2 instance.

Default:true

enable_fail2banbooloptional

Enable fail2ban to block brute force log in attempts. Defaults to true.

Default:true

enable_ip_lockdownbooloptional

Enable ip-lockdown to block access to the instance metadata. Defaults to true.

Default:true

enable_ssh_gruntbooloptional

Set to true to add IAM permissions for ssh-grunt (https://github.com/gruntwork-io/terraform-aws-security/tree/master/modules/ssh-grunt), which will allow you to manage SSH access via IAM groups.

Default:true

external_account_ssh_grunt_role_arnstringoptional

If you are using ssh-grunt and your IAM users / groups are defined in a separate AWS account, you can use this variable to specify the ARN of an IAM role that ssh-grunt can assume to retrieve IAM group and public SSH key info from that account. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain).

Default:""

fully_qualified_domain_namestringoptional

The apex domain of the hostname for the EC2 instance (e.g., example.com). The complete hostname for the EC2 instance will be name.fully_qualified_domain_name (e.g., bastion.example.com). Only used if create_dns_record is true.

Default:""

high_instance_cpu_utilization_periodnumberoptional

The period, in seconds, over which to measure the CPU utilization percentage for the instance.

Default:60

high_instance_cpu_utilization_thresholdnumberoptional

Trigger an alarm if the EC2 instance has a CPU utilization percentage above this threshold.

Default:90

high_instance_cpu_utilization_treat_missing_datastringoptional

Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.

Default:"missing"

high_instance_disk_utilization_periodnumberoptional

The period, in seconds, over which to measure the root disk utilization percentage for the instance.

Default:60

high_instance_disk_utilization_thresholdnumberoptional

Trigger an alarm if the EC2 instance has a root disk utilization percentage above this threshold.

Default:90

high_instance_disk_utilization_treat_missing_datastringoptional

Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.

Default:"missing"

high_instance_memory_utilization_periodnumberoptional

The period, in seconds, over which to measure the Memory utilization percentage for the instance.

Default:60

high_instance_memory_utilization_thresholdnumberoptional

Trigger an alarm if the EC2 instance has a Memory utilization percentage above this threshold.

Default:90

high_instance_memory_utilization_treat_missing_datastringoptional

Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.

Default:"missing"

keypair_namestringoptional

The name of a Key Pair that can be used to SSH to this instance. This instance may have ssh-grunt installed. The preferred way to do SSH access is with your own IAM user name and SSH key. This Key Pair is only as a fallback.

Default:null

root_volume_delete_on_terminationbooloptional

If set to true, the root volume will be deleted when the Instance is terminated.

Default:true

root_volume_sizenumberoptional

The size of the root volume, in gigabytes.

Default:8

root_volume_typestringoptional

The root volume type. Must be one of: standard, gp2, io1.

Default:"standard"

should_create_cloudwatch_log_groupbooloptional

When true, precreate the CloudWatch Log Group to use for log aggregation from the EC2 instances. This is useful if you wish to customize the CloudWatch Log Group with various settings such as retention periods and KMS encryption. When false, the CloudWatch agent will automatically create a basic log group to use.

Default:true

ssh_grunt_iam_groupstringoptional

If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this EC2 instance. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain).

Default:""

ssh_grunt_iam_group_sudostringoptional

If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this EC2 instance. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain).

Default:""

tagsmap(string)optional

A map of tags to apply to the EC2 instance and the S3 Buckets. The key is the tag name and the value is the tag value.

Default:{}

tenancystringoptional

The tenancy of this instance. Must be one of: default, dedicated, or host.

Default:"default"

use_managed_iam_policiesbooloptional

When true, all IAM policies will be managed as dedicated policies rather than inline policies attached to the IAM roles. Dedicated managed policies are friendlier to automated policy checkers, which may scan a single resource for findings. As such, it is important to avoid inline policies when targeting compliance with various security standards.

Default:true

Outputs

dns_name

The fully qualified name of the EC2 server.

ec2_instance_iam_role_arn

The ARN of the EC2 server's IAM role.

ec2_instance_iam_role_id

The ID of the EC2 server's IAM role.

ec2_instance_iam_role_name

The name of the EC2 server's IAM role.

ec2_instance_instance_id

The EC2 instance ID of the EC2 server.

ec2_instance_private_ip

The private IP address of the EC2 server.

ec2_instance_public_ip

The public IP address of the EC2 server.

ec2_instance_security_group_id

The ID of the EC2 servers's security group.

ec2_instance_volume_info

Info about the created EBS volumes.

ec2_instance_volume_parameters

The input parameters for the EBS volumes.