Unlocking IaC Part 2: Setting Up Terraform on Windows for AWS

In Part 1 of this series, I introduced Infrastructure as Code (IaC) concepts, specifically Terraform. I haven’t yet mentioned why someone working in cybersecurity would care about this stuff, but I will now - to be a truly effective security engineer or architect, you have to be able to test your theories (and the claims made by security vendors).

The single best way to do that is to deliver proof of concepts and see the tooling in action, see where it excels, and watch as it fails. If we rely on the UI of AWS (or similar cloud services) to create the infrastructure needed to do this, it will be painfully slow and difficult to quantify test results. For example, what if you missed a config step in the UI, and now your test is delivering different results? Is that a failure of the tool or your experiment?

This will be a lengthy post, but trust me - we want to cover this all at once. Chunking up tasks into smaller, more manageable tasks is a great way to get work done - but we are not here to get work done. We are here to learn something very important. Find an hour or so and silence all the noise in your life (literally & metaphorically). Save this post for that quiet time where you can focus on these fundamental tasks, documenting as you go and remembering what you can.

To get started setting up your Windows machine to build in AWS using Terraform, continue below…

Prereqs for Windows users

The development community has been, is now, and likely will be, for the foreseeable future, in love with either Mac books or Linux laptops. It’s easy to see why, with both offering a Unix-like operating system that streamlines development tasks. There are, however, many people who prefer to work day-to-day on Windows. Yes, I know you can use the Windows Subsystem for Linux (WSL), but for someone getting started in Terraform, it adds a layer of complexity at a point when it isn't required.

To begin using Terraform on Windows, you will need the following:

1. Terraform installed
2. AWS CLI installed & configured
3. An AWS account
4. An AWS IAM user with appropriate permissions
5. Git-SCM (Git for Windows)
6. A Github account (to manage your code)
7. A code editor (I prefer VS Code and will use that here)

Setting up AWS & Terraform

You will need an AWS account; your own personal one is best. You will need to install on your machine the AWS CLI application, which is how Terraform is able to reach out to AWS and make the magic happen. You will also need to install Terraform on your machine. Finally, you will need to configure the AWS CLI with your account-specific details (more info below).

Create an AWS account.

Simply go to this URL:

• https://portal.aws.amazon.com/billing/signup#/start/email

  
  

And complete the signup process. Once that is complete, be sure to securely record your sign-in credentials for later use.

A crash course on AWS IAM (to get up and running with AWS CLI)

AWS Identity and Access Management is a service within AWS. Think of it as any other service, EC2 (virtual machines), Rout53 (DNS), etc...

Specifically, this service provides the backbone for identity management and access management for your AWS account and services. In AWS IAM, you can create users (Alice, Bob, Chris, etc.) and roles (admin, app-admin, read-only, etc.). IAM provides very granular controls over access management, so much detail that it can be overwhelming. For this tutorial, try to block out all those details and keep laser-focused on the task at hand.

Creating a user with programmatic access:

1. Sign in to the AWS Management Console and navigate to IAM (type IAM in the search bar).
2. In the IAM dashboard, click on “Users” in the left navigation pane and then click “Create user”.
3. Enter a user name.
4. Leave the checkbox for "Provide user access to the AWS Management Console - optional" empty.
5. Click on “Next: Permissions”.

Assigning necessary permissions:

1. Click on “Attach existing policies directly”.
2. Search for policies that your Terraform scripts will require. For starting, you might want to use AmazonEC2FullAccess if you'll be managing EC2 instances, but be aware this is a broad permission. For this tutorial in a personal demo AWS account, this will be ok.
3. Check the box next to the policies you want to attach to the user.
4. Click on “Next: Tags” (tags are optional) and then “Next: Review”.
5. Review your choices and click “Create user”.

Safeguarding and using AWS Access Key and Secret Access Key:

After creating the user, you’ll be taken back to the IAM overview page displaying all current users.

1. Click the username you just created.
2. This takes you to the user's detail view. From here, find the "Security Credentials" tab in the middle and click that.
3. Find the "Access Keys" section, then click "Create access key."
4. The next screen presents many options, but we want the "Command Line Interface (CLI)" option. Click that radio button.
5. You will notice a yellow box with two recommendations. In this demo/personal environment, neither of these are hard requirements, but they are good practices to deploy if this were a production environment. You will have to check the box at the very bottom acknowledging you are not using those recommendations.
6. Use a tag to make it easy to remember that this access key is used for (dealer’s choice, you pick - just remember it).
7. Click Create Access Key, at which point you will be taken to a new screen that will give you the Access Key and Secret Access Key. These are sensitive materials; do not share them and do not store them anywhere insecure. Copy them both for use in the AWS CLI configuration steps below.

Install the AWS Command Line Interface (AWS CLI)

Go to this URL:

• https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

Then, download and install the AWS CLI. Be sure to select Windows, as this page also contains installers for Linux and MacOS. The installation is relatively straightforward, as it doesn't require any configuration to complete.

Configure the AWS CLI

In order to configure the AWS CLI to connect to your AWS account, you need to know a few things.

• You will need credentials, which are like a username and password. In this case, they are the "AWS Access Key ID" and "AWS Secret Access Key," which you obtain from inside your AWS account (more on that below).

• You will also need to know that AWS offers its services in various "regions,” and when you configure the AWS CLI, you have to define a default region that you will connect to. The regions are geographical; some are on the eastern side of the US, and some are out west. Others are in different countries altogether. The main thing here is that you select the region you want to work within (and yes, some regions offer slight differences in the services available).

• Finally, you need to know that you can select a default output format and how you want the CLI to provide information back to you. While you can choose "JSON" or "YAML," which can be great for programmatic purposes, we will choose good 'ol "TEXT," which is the most human-readable format.

  
  

To configure the AWS CLI, you will need to open a CMD or Powershell window and type "aws configure" to get started. At this point, you will be prompted for the AWS Access Key ID, AWS Secret Access Key, Default region name, and the Default output. Enter those values when prompted. A successful AWS CLI configuration will allow you to check it using the following command to pull the configured region info: aws configure get region --profile default. You should see some output here indicating the AWS region you have configured in the default profile.

Download Terraform

Download Terraform from here by selecting the "Windows" tab up top (you can use either the "386" installer, aka 32 bit or "AMD64," aka 64-bit. However, AMD64 is prioritized for bug fixes ahead of 386, so typically choosing that is best):

• https://developer.hashicorp.com/terraform/downloads

  
  

Once that is downloaded, install Terraform how you normally install applications on Windows (your choice).

Set the Terraform $PATH system variable.

When manually installing Terraform like we are here you will need to add the "terraform" executable to the $PATH variable. If you are not familiar with the PATH variable and why it exists, check this out. Essentially, it allows us, the operators of the OS, to use shortcuts to reference applications.

Instead of typing out the full path every time c:\users\chris\path\to\app.exe we simply add c:\users\chris\path\ to the $PATH system variable. Now we can just type app.exe and the OS knows where to find it. Voila, lazy enabled.

To do this, use the following steps. Keep in mind the Terraform application is entirely self-contained. As long as you have terraform.exe, it will run. Therefore you can save it anywhere, just remember where you have saved it so you can reference this path in a moment.

For this example, we saved it to C:\Program Files\Terraform\terraform.exe Create a directory for the Terraform binary, e.g., C:\Program Files\Terraform\

Move the terraform.exe file to this directory.

Right-click on the Windows icon and select System.

Click on System info or System settings.

Click on Advanced system settings.

In the System Properties window, go to the Advanced tab and click on Environment Variables.

In the System Variables section, find and select the Path variable, then click on Edit.

Click on New and then paste in the path to the directory where you placed terraform.exe, e.g., C:\Program Files\Terraform\

Click OK to save and exit out of the open windows.

Verify the Terraform install

Once that step is completed, in the Windows command line (or Powershell), you can check that Terraform is configured by running terraform --version , which should return the version of Terraform installed. If you don't receive this as the output, verify the $PATH is set correctly (navigate to the installed directory for Terraform and try to run terraform --version there; if it works, then you know the $PATH isn't set correctly).

Git-SCM (Git for Windows)

Git is the powerful version control system that powers the modern development world. Services like GitHub, Gitlab, Bitbucket, and others are online hosted repositories for code management. Git runs locally on your machine, where you create the code and connect to services like Github, where you can remotely save your code (and easily find it later, as well as all versions of your code!).

Because Git runs locally, we will need to install it. Git is native on Linux, so we have to use Git-SCM (although I don't know anyone who refers to Git on Windows as Git-SCM... it’s just Git). Git-SCM is a simple download and install, which is found here. Grab the standalone 64-bit edition.

The Github account

GitHub is a service that provides central storage (repository) of code. There are public projects, private projects, users, and so forth. It blends elements of social media, like "tagging," "mentions," and discussions with the needs of developers to provide version control of code and a simple method to work together on a single code project. This is using something else called "Git," an open-source project that provides version control of code. Git can be complex, but for now, just knowing what it is and what it provides is all you need to know.

Head to Github.com and sign up for an account. Currently, the link for that is in the upper right-hand corner. Once your account is created and confirmed, you’re ready to move on to your first Terraform deployment.

The code editor

Choosing a code editor can be as easy or as difficult as you like. For me, when I chose a code editor, I wanted one that was widely used (to make finding "how-tos,” tutorials, and support easy. I also wanted one that provided syntax highlighting (helping you fill in knowledge gaps while you learn) and could integrate with common development or DevOps tools.

While there are several that provide this, the easy choice for me was Visual Studio Code (VSCode for short). Being that you are on Windows, this is a Microsoft-created and supported app that offers a free version that will do everything (and more) that you will need.

It is multi-platform (Mac, Linux, Windows), and it offers simple integrations through "extensions" with things like Terraform syntax highlighting, Git, Github, Gitlab, etc., as well as a built-in "shell" so you can deploy Terraform code without having to switch to a new application (usually CMD or Powershell). You can choose something else or just use notepad.exe - totally fine! However, I will be using VSCode and might reference features unique to it in the following stages of this tutorial.

And the first thing you need to do with VScode is install the Hashicorp Terraform extension. Go to File > Preferences > Extensions (or hit CTRL + SHIFT + X) In the search bar that is at the top, type in "Hashicorp Terraform" and click the extension made by Hashicorp (it will have a blue checkmark next to the name to verify it’s legit). Click install on this. It may reload VSCode - at this point, you are ready to go.

Wrapping up the setup

If this was your first time setting up these services, you have earned a beer (or a high five, you pick, depending on age). Be sure to document anything important, like credentials, URLs, or file locations. If you need to, run through this setup one more time to double-check that everything is sorted out - there are very few things more frustrating than getting stuck on a build step because you missed something previously.

In Part 3, we will be deploying our very first Terraform script. We will walk through line by line and talk about every little detail. By the end of Part 3, you will be deploying Splunk Enterprise into AWS, logging in, and building queries in Splunk.