setting up a new aws account

aws beginner pro

toc

  1. terraform for everything
  2. setup billing alert

terraform for everything

no clicking around. we dont like mice.

before using tf we create an s3 bucket for tf state and a dynamodb table for locking.

create-terraform-backend.sh
#!/bin/bash


set -euo pipefail


# AWS CLI profile to use
AWS_PROFILE="my-profile"
APP_NAME="my-app"


# Prompt the user to confirm the AWS CLI profile to use
read -p "Do you want to use the AWS profile \"$AWS_PROFILE\"? [y/n] " -n 1 -r
echo    # move to a new line
if [[ ! $REPLY =~ ^[Yy]$ ]]
then
    echo "Aborting script."
    exit 1
fi


# AWS region to use
AWS_REGION="eu-west-1"


# Name of the S3 bucket to create
BUCKET_NAME="${APP_NAME}-terraform-state-bucket"


# Name of the DynamoDB table to create for state locking
LOCK_TABLE_NAME="terraform-state-lock"


# Check if S3 bucket exists
if aws s3api head-bucket --bucket "$BUCKET_NAME" --profile "$AWS_PROFILE" 2>/dev/null; then
    echo "Bucket already exists"
else
    # Create S3 bucket if it doesn't already exist
    # Specify LocationConstraint if region is not us-east-1
    # See https://awscli.amazonaws.com/v2/documentation/api/2.0.34/reference/s3api/create-bucket.html#examples
    if [[ "$AWS_REGION" == "us-east-1" ]]; then
        aws s3api create-bucket --bucket "$BUCKET_NAME" --region "$AWS_REGION" --profile "$AWS_PROFILE"
    else
        aws s3api create-bucket --bucket "$BUCKET_NAME" --region "$AWS_REGION" --create-bucket-configuration LocationConstraint="$AWS_REGION" --profile "$AWS_PROFILE"
    fi
    echo "Bucket created"
fi


# Enable versioning on the S3 bucket
aws s3api put-bucket-versioning --bucket "$BUCKET_NAME" --versioning-configuration Status=Enabled --profile "$AWS_PROFILE" || true


# Check if DynamoDB table exists
if aws dynamodb describe-table --table-name "$LOCK_TABLE_NAME" --profile "$AWS_PROFILE" --region "$AWS_REGION" 2>/dev/null; then
    echo "Table already exists"
else
    # Create DynamoDB table
    aws dynamodb create-table --table-name "$LOCK_TABLE_NAME" --attribute-definitions AttributeName=LockID,AttributeType=S --key-schema AttributeName=LockID,KeyType=HASH --billing-mode PAY_PER_REQUEST --profile "$AWS_PROFILE" --region "$AWS_REGION"
    echo "Table created"
fi

basic tf:

main.tf
# Default aws provider
provider "aws" {
  profile = var.aws_profile
  region  = var.aws_region
}


# Some aws services must be provisioned in us-east-1,
# (cloudfront only works with acm certs issues in us-east-1)
# so we have a separate "aliased" provider for this.
provider "aws" {
  alias   = "us_east_1"
  profile = var.aws_profile
  region  = "us-east-1"
}


# Variables not allowed in this block
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }


  backend "s3" {
    bucket  = "my-app-terraform-state-bucket"
    key     = "terraform.tfstate"
    region  = "eu-west-1"


    dynamodb_table = "terraform-state-lock"
    encrypt        = true
  }
}

setup billing alert