logs sent to s3 bucket

Signed-off-by: Akhil <2100030084@kluniversity.in>

Author: git-user-9

.gitignore

@@ -35,3 +35,5 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+
+.terraform.lock.hcl

README.md

@@ -8,17 +8,17 @@ This project automates the provisioning of an EC2 instance and the deployment of
 
 ```
 tech_eazy_devops_git-user-9/
-├── README.md
-├── terraform/
-│   ├── main.tf
-│   ├── outputs.tf
-│   ├── variables.tf
-│   ├── dev_config.tfvars
-│   └── prod_config.tfvars
-└── scripts/
-    ├── deploy.sh
-    ├── dev_script.sh
-    └── prod_script.sh
+├── README.md                  # Project documentation
+├── terraform/                 # Contains Terraform configurations
+│   ├── main.tf                # Main Terraform configuration file
+│   ├── outputs.tf             # Defines Terraform outputs (e.g., EC2 public IP)
+│   ├── variables.tf           # Declares input variables for Terraform
+│   ├── dev_config.tfvars      # Terraform variable values for the 'dev' environment
+│   └── prod_config.tfvars     # Terraform variable values for the 'prod' environment
+└── scripts/                   # Shell scripts for deployment and configuration
+    ├── deploy.sh              # Automates the Terraform apply process for a given environment
+    ├── dev_script.sh          # User-data script for configuring EC2 in the 'dev' environment
+    └── prod_script.sh         # User-data script for configuring EC2 in the 'prod' environment
 ```
 
 ---
@@ -66,8 +66,8 @@ export AWS_DEFAULT_REGION=ap-south-1
 ### 1️⃣ Clone the Repository
 
 ```bash
-git clone <your-repo-url>
-cd tech_eazy_devops_git-user-9
+git clone https://github.com/git-user-9/tech_eazy_devops_git-user-9.git app
+cd app
 ```
 
 ### 2️⃣ Run the Deployment Script
@@ -81,6 +81,8 @@ The script will:
 - Load the corresponding Terraform variable file
 - Initialize and apply the Terraform configuration
 - Output the public IP of the created EC2 instance
+- Upload logs to S3 bucket
+- Shutdown the instance after 10-15 minutes (configurable)
 
 ### 3️⃣ Access the Application
 
@@ -100,9 +102,11 @@ http://<your-ec2-ip>:80
 
 ### User Data (inside shell script):
 - Updates the system
-- Installs Java 21, Git, and Maven
+- Installs AWS CLI, curl, unzip, Java 21, Git, and Maven
 - Clones and builds your application
 - Launches the application on port 80
+- Uploads logs to S3 bucket
+- Shuts down the instance after 10-15 minutes (configurable)
 
 ---
 
@@ -117,7 +121,7 @@ http://<your-ec2-ip>:80
 ## 💬 **FAQ**
 
 **Q: Can I deploy to a different AWS region?**  
-Yes. Modify the `region` value in `terraform/main.tf` or export `AWS_DEFAULT_REGION`.
+Yes. Modify the `aws_region` value in `terraform/variables.tf`, `dev_config.tfvars` and `prod_config.tfvars`
 
 
 

scripts/deploy.sh

@@ -37,5 +37,7 @@ curl "http://$RAW_INSTANCE_IP:80"
 
 echo "[+] Instance Public IP: $RAW_INSTANCE_IP"
 
-sleep 650
-terraform destroy -var-file="$CONFIG_FILE" -auto-approve
+
+# sleep 650
+
+# terraform destroy -var-file="$CONFIG_FILE" -auto-approve

scripts/dev_script.sh

@@ -1,25 +1,38 @@
 #!/bin/bash
 set -e
 
-# Update and install dependencies
+# Update system and install dependencies
 apt-get update -y
-apt-get install -y openjdk-21-jdk maven git
+apt-get install -y unzip curl git openjdk-21-jdk maven
+
+# Install AWS CLI v2
+curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+unzip awscliv2.zip
+sudo ./aws/install
+
 
 # Set JAVA_HOME
 export JAVA_HOME=$(dirname $(dirname $(readlink -f $(which java))))
 echo "export JAVA_HOME=$JAVA_HOME" >> /etc/profile
 export PATH=$JAVA_HOME/bin:$PATH
 
-# Clone the repo
 cd /home/ubuntu
-git clone https://github.com/techeazy-consulting/techeazy-devops app
+git clone ${repo_url} app
+#git checkout HEAD~1 # Latest commit in repo has bug two @GetMapping("/")
+
 cd app
-# git checkout HEAD~1 # Latest commit in repo has bug two @GetMapping("/")
+mvn clean package
+
+# Run the Java app
+nohup java -jar target/*.jar --server.port=80 > /var/log/my-app.log 2>&1 &
+
+# Wait for the app to start
+sleep 30
 
-# Build the application
-mvn package
+# Upload Logs to S3
+aws s3 cp /var/log/cloud-init.log s3://${s3_bucket_name}/system/
+aws s3 cp /var/log/my-app.log s3://${s3_bucket_name}/app/
 
-# Run the app in background and redirect output
-nohup java -jar target/techeazy-devops-0.0.1-SNAPSHOT.jar > /home/ubuntu/app.log 2>&1 &
+# Shutdown after timeout
+sudo shutdown -h +${shutdown_minutes}
 
-shutdown -h +10

scripts/prod_script.sh

@@ -1,25 +1,38 @@
 #!/bin/bash
 set -e
 
-# Update and install dependencies
+# Update system and install dependencies
 apt-get update -y
-apt-get install -y openjdk-21-jdk maven git
+apt-get install -y unzip curl git openjdk-21-jdk maven
+
+# Install AWS CLI v2
+curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+unzip awscliv2.zip
+sudo ./aws/install
+
 
 # Set JAVA_HOME
 export JAVA_HOME=$(dirname $(dirname $(readlink -f $(which java))))
 echo "export JAVA_HOME=$JAVA_HOME" >> /etc/profile
 export PATH=$JAVA_HOME/bin:$PATH
 
-# Clone the repo
 cd /home/ubuntu
-git clone https://github.com/techeazy-consulting/techeazy-devops app
+git clone ${repo_url} app
+#git checkout HEAD~1 # Latest commit in repo has bug two @GetMapping("/")
+
 cd app
-# git checkout HEAD~1 # Latest commit in repo has bug two @GetMapping("/")
+mvn clean package
+
+# Run the Java app
+nohup java -jar target/*.jar --server.port=80 > /var/log/my-app.log 2>&1 &
+
+# Wait for the app to start
+sleep 30
 
-# Build the application
-mvn package
+# Upload Logs to S3
+aws s3 cp /var/log/cloud-init.log s3://${s3_bucket_name}/system/
+aws s3 cp /var/log/my-app.log s3://${s3_bucket_name}/app/
 
-# Run the app in background and redirect output
-nohup java -jar target/techeazy-devops-0.0.1-SNAPSHOT.jar > /home/ubuntu/app.log 2>&1 &
+# Shutdown after timeout
+sudo shutdown -h +${shutdown_minutes}
 
-shutdown -h +10

terraform/dev_config.tfvars

@@ -2,3 +2,6 @@ instance_type    = "t2.micro"
 key_name         = "ssh-key-ec2"
 stage            = "Dev"
 shutdown_minutes = 10
+s3_bucket_name   = "techeazy-logs-dev-unique123ss" # Change this!
+aws_region       = "ap-south-1"
+repo_url         = "https://github.com/techeazy-consulting/techeazy-devops"

terraform/ec2.tf

@@ -0,0 +1,53 @@
+# Security Group
+resource "aws_security_group" "web_sg" {
+  name        = "web-sg-${var.stage}"
+  description = "Allow HTTP and SSH"
+
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name  = "WebSG-${var.stage}"
+    Stage = var.stage
+  }
+}
+
+# EC2 Instance
+resource "aws_instance" "app" {
+  ami                    = var.ami_id
+  instance_type          = var.instance_type
+  key_name               = var.key_name
+  vpc_security_group_ids = [aws_security_group.web_sg.id]
+  iam_instance_profile   = aws_iam_instance_profile.ec2_instance_profile_b.name
+
+
+  user_data = templatefile("${path.module}/../scripts/${lower(var.stage)}_script.sh", {
+    s3_bucket_name   = var.s3_bucket_name
+    aws_region       = var.aws_region
+    repo_url         = var.repo_url
+    shutdown_minutes = var.shutdown_minutes
+  })
+
+  tags = {
+    Name  = "TecheazyApp-${var.stage}"
+    Stage = var.stage
+  }
+}

terraform/iam.tf

@@ -0,0 +1,96 @@
+# Role A: Read-Only Access to S3
+resource "aws_iam_role" "role_a_readonly" {
+  name = "readonly_s3_role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/uploadonly_s3_role"
+        },
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "readonly_policy" {
+  name        = "readonly_s3_policy"
+  description = "Allows read-only access to S3"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Action   = ["s3:ListBucket", "s3:GetObject"],
+        Effect   = "Allow",
+        Resource = ["arn:aws:s3:::${var.s3_bucket_name}", "arn:aws:s3:::${var.s3_bucket_name}/*"]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "readonly_attach" {
+  role       = aws_iam_role.role_a_readonly.name
+  policy_arn = aws_iam_policy.readonly_policy.arn
+}
+
+# Role B: Write-Only Access to S3
+resource "aws_iam_role" "role_b_uploader" {
+  name = "uploadonly_s3_role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect    = "Allow",
+        Principal = { Service = "ec2.amazonaws.com" },
+        Action    = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "uploadonly_policy" {
+  name        = "uploadonly_s3_policy"
+  description = "Allows write-only access to S3 and the ability to assume Role A"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect   = "Allow",
+        Action   = ["s3:PutObject", "s3:CreateBucket"],
+        Resource = ["arn:aws:s3:::${var.s3_bucket_name}", "arn:aws:s3:::${var.s3_bucket_name}/*"]
+      },
+      {
+        Effect   = "Deny",
+        Action   = ["s3:GetBucket"],
+        Resource = ["arn:aws:s3:::*"]
+      },
+      {
+        Effect   = "Allow",
+        Action   = ["sts:AssumeRole"],
+        Resource = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/readonly_s3_role"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "uploadonly_attach" {
+  role       = aws_iam_role.role_b_uploader.name
+  policy_arn = aws_iam_policy.uploadonly_policy.arn
+}
+
+# Instance profiles for EC2
+resource "aws_iam_instance_profile" "ec2_instance_profile_a" {
+  name = "${var.stage}_readonly_instance_profile"
+  role = aws_iam_role.role_a_readonly.name
+}
+
+resource "aws_iam_instance_profile" "ec2_instance_profile_b" {
+  name = "${var.stage}_writeonly_instance_profile"
+  role = aws_iam_role.role_b_uploader.name
+}

terraform/main.tf

@@ -2,41 +2,5 @@ provider "aws" {
   region = var.aws_region
 }
 
-resource "aws_security_group" "web_sg" {
-  name        = "web-sg-${var.stage}"
-  description = "Allow HTTP and SSH"
-
-  ingress {
-    from_port   = 80
-    to_port     = 80
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-  ingress {
-    from_port   = 22
-    to_port     = 22
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-}
-
-resource "aws_instance" "app" {
-  ami                    = var.ami_id
-  instance_type          = var.instance_type
-  key_name               = var.key_name
-  vpc_security_group_ids = [aws_security_group.web_sg.id]
-
-  user_data = file("${path.module}/../scripts/${lower(var.stage)}_script.sh")
-
-  tags = {
-    Name  = "TecheazyApp-${var.stage}"
-    Stage = var.stage
-  }
-}
+# Data source for current AWS account
+data "aws_caller_identity" "current" {}