Skip to content

AWS Setup Guide

Some of these steps are focused on running on a local GNU/Linux environment, but most of it is also relevant to Windows OS as well.

Steps to automate AWS infrastructure

1. Get OpenTofu CLI

Retrieve the cli from GitHub release page by running:

1
2
3
wget https://github.com/opentofu/opentofu/releases/download/v1.9.0/tofu_1.9.0_linux_amd64.zip
unzip tofu_1.9.0_linux_amd64.zip
sudo cp tofu /usr/bin/

Verity that tofu is detected by running:

tofu version

which will output the tofu version v1.9.0.

2. Clone git repo

Clone the git repo that has been communicated to you using the specific GitLab access token:

git clone https://<username>:<access-token>@gitlab.com/<repo>

3. Set Up Tofu Code

3.1 Use terraform.tfvars

Copy the existing terraform.tfvars.example to terraform.tfvars and make changes to the variables in that file. Make sure to modify the GitLab user and GitLab access token there with those credentials provided to you. Basically, you'll have 2 sets of tokens. This access token is separate from the other token mentioned in the previous section which is used to clone the repo. The current token is used to pull the containers from the GitLab registry.

3.2 Tofu Init

Before initializing tofu, make sure to login to your AWS SSO through the CLI:

aws sso login

and setup the sso config locally. And finally, initialize tofu with:

tofu init

3.3 Tofu Plan / Apply

To view the resources that will be created, run: 

tofu plan

and once that is completed, you should apply the changes

tofu apply

which will actually create the resources in AWS.

Manual Steps

These manual steps can be done either through AWS UI or cli. However for now, we will cover AWS UI only.

1. LetsEncrypt Initial Certs

For the very first time, we need to run certbot command to get a LetsEncrypt Cert, which is used by "internal" loadbalancer in private network

certbot certonly --dns-route53 -d <domain>

This will also create a new account for you, gather the private key for the account and save in the secrets manager (mentioned below)

2. Credentials in Secrets Manager

There are 2 secrets that needs to manually updated the very first time it is deployed through tofu, namely:

  • instandt-letsencrypt-account-<random-id>
  • ecr-pullthroughcache/dndt-gitlab-<random-id>

For instandt-letsencrypt-account-<random-id>, get the private key from the previous step, initial LetsEncrypt cert and store it in this secret.

For ecr-pullthroughcache/dndt-gitlab-<random-id>, this token is used to access the gitlab container registry. This token is not the same as the token used to clone the template infrastructure-as-code repository.

3. App Version in Parameter Store

Make changes to app version parameter only on the first time you deploy this resource, on later deploys, tofu will take care of updating this parameter. This will be the app version that ECS Task Definition from tofu uses to deploy the application (frontend, backend and db migration images).