labs/lab-3/terraform/main.tf

resource "aws_instance" "my_first_linux" {
    instance_type = "t2.micro"
    ami = "ami-06971c49acd687c30"

	security_groups = ["ssh-access-witch"]

    tags = {
        Name = "labs"
    }
}

resource "aws_s3_bucket" "resume-bucket" {
    tags = {
        Name = "labs"
    }
}

resource "aws_s3_bucket" "lab-bucket" {
    tags = {
        Name = "labs"
    }
}

## Security Group
resource "aws_security_group" "ec2_security_group" {
  description = "Restrict SSH to my IP"
}

resource "aws_security_group" "default" {
   description = "default VPC security group"
}


## Roles
resource "aws_iam_role" "daphodell_role" {
    assume_role_policy = jsonencode({
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "ec2.amazonaws.com"
			},
			"Action": "sts:AssumeRole"
		},
		{
			"Effect": "Allow",
			"Principal": {
				"AWS": var.ACCOUNT_ROOT_ARN
			},
			"Action": "sts:AssumeRole",
			"Condition": {
				"BoolIfExists": {
					"aws:MultiFactorAuthPresent": "true"
				}
			}
		}
	]})
    tags = {
        Name = "labs"
    }
}

## Policies
## Allow user CLI -> S3 read/write
resource "aws_iam_policy" "assume_role_s3_policy" {
    policy = jsonencode({
			"Version": "2012-10-17",
		    "Statement": [
		        {
		            "Effect": "Allow",
		            "Action": "sts:AssumeRole",
		            "Resource": aws_iam_role.daphodell_role.arn
		        }
		    ]
	})
    tags = {
        Name = "labs"
    }
}

## Allow ec2 -> s3 read/write
resource "aws_iam_policy" "ec2_s3_policy" {
	policy = jsonencode({
    		"Version": "2012-10-17",
    		"Statement": [
    		    {
    		        "Effect": "Allow",
    		        "Action": "s3:ListBucket",
    		        "Resource": "arn:aws:s3:::witch-lab-3"
    		    },
    		    {
    		        "Effect": "Allow",
    		        "Action": "s3:GetObject",
    		        "Resource": "arn:aws:s3:::witch-lab-3/*"
    		    }
    		]
	})
    tags = {
        Name = "labs"
    }
}

# Create AMI
resource "aws_ami_from_instance" "ami_snapshot" {
  name = "ami-snapshot-2025-06-17"
  source_instance_id = aws_instance.my_first_linux.id
  snapshot_without_reboot = true

  tags = {
    Name = "labs"
  }
}

# Launch new instance from AMI
resource "aws_instance" "my_second_linux" {
    instance_type = "t2.micro"
    ami = aws_ami_from_instance.ami_snapshot.id
	security_groups = ["ssh-access-witch"]

    tags = {
        Name = "labs"
    }
}
Finish lab 3 2025-06-16 18:48:28 -07:00			`resource "aws_instance" "my_first_linux" {`
			`instance_type = "t2.micro"`
			`ami = "ami-06971c49acd687c30"`

			`security_groups = ["ssh-access-witch"]`

			`tags = {`
			`Name = "labs"`
			`}`
			`}`

			`resource "aws_s3_bucket" "resume-bucket" {`
			`tags = {`
			`Name = "labs"`
			`}`
			`}`

			`resource "aws_s3_bucket" "lab-bucket" {`
			`tags = {`
			`Name = "labs"`
			`}`
			`}`

			`## Security Group`
			`resource "aws_security_group" "ec2_security_group" {`
			`description = "Restrict SSH to my IP"`
			`}`

			`resource "aws_security_group" "default" {`
			`description = "default VPC security group"`
			`}`


			`## Roles`
			`resource "aws_iam_role" "daphodell_role" {`
			`assume_role_policy = jsonencode({`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Effect": "Allow",`
			`"Principal": {`
			`"Service": "ec2.amazonaws.com"`
			`},`
			`"Action": "sts:AssumeRole"`
			`},`
			`{`
			`"Effect": "Allow",`
			`"Principal": {`
			`"AWS": var.ACCOUNT_ROOT_ARN`
			`},`
			`"Action": "sts:AssumeRole",`
			`"Condition": {`
			`"BoolIfExists": {`
			`"aws:MultiFactorAuthPresent": "true"`
			`}`
			`}`
			`}`
			`]})`
			`tags = {`
			`Name = "labs"`
			`}`
			`}`

			`## Policies`
			`## Allow user CLI -> S3 read/write`
			`resource "aws_iam_policy" "assume_role_s3_policy" {`
			`policy = jsonencode({`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Effect": "Allow",`
			`"Action": "sts:AssumeRole",`
			`"Resource": aws_iam_role.daphodell_role.arn`
			`}`
			`]`
			`})`
			`tags = {`
			`Name = "labs"`
			`}`
			`}`

			`## Allow ec2 -> s3 read/write`
			`resource "aws_iam_policy" "ec2_s3_policy" {`
			`policy = jsonencode({`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Effect": "Allow",`
			`"Action": "s3:ListBucket",`
			`"Resource": "arn:aws:s3:::witch-lab-3"`
			`},`
			`{`
			`"Effect": "Allow",`
			`"Action": "s3:GetObject",`
			`"Resource": "arn:aws:s3:::witch-lab-3/*"`
			`}`
			`]`
			`})`
			`tags = {`
			`Name = "labs"`
			`}`
			`}`

			`# Create AMI`
			`resource "aws_ami_from_instance" "ami_snapshot" {`
			`name = "ami-snapshot-2025-06-17"`
			`source_instance_id = aws_instance.my_first_linux.id`
			`snapshot_without_reboot = true`

			`tags = {`
			`Name = "labs"`
			`}`
			`}`

			`# Launch new instance from AMI`
			`resource "aws_instance" "my_second_linux" {`
			`instance_type = "t2.micro"`
			`ami = aws_ami_from_instance.ami_snapshot.id`
			`security_groups = ["ssh-access-witch"]`

			`tags = {`
			`Name = "labs"`
			`}`
			`}`