Create an S3 bucket to store the tfstate file.

resource "aws_s3_bucket" "terraform_state" {
  bucket = "demo-tf-state"

  lifecycle {
    prevent_destroy = true
  }
}

Enable versioning for the bucket.

resource "aws_s3_bucket_versioning" "version_tf_bucket" {
  bucket = aws_s3_bucket.terraform_state.id
  versioning_configuration {
    status = "Enabled"
  }
}

Create KMS keys to encrypt the bucket

resource "aws_kms_key" "mykey" {
  description             = "This key is used to encrypt bucket objects"
  deletion_window_in_days = 10
}

Enable bucket encryption using KMS key.

resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
  bucket = aws_s3_bucket.terraform_state.id

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = aws_kms_key.mykey.arn
      sse_algorithm     = "aws:kms"
    }
  }
}

Create DynamoDB table to enable locking mechanism.

resource "aws_dynamodb_table" "tf-state-locking" {
  name         = "tf-state-locking"
  billing_mode = "PAY_PER_REQUEST"
  hash_key     = "LockID"

  attribute {
    name = "LockID"
    type = "S"
  }
}

Apply the code using the command terraform apply . The resources are now created on AWS. Now, configure your terraform to use the remote backend.
Add the below code inside terraform {}

backend "s3" {
    bucket         = "demo-tf-state"
    key            = "global/s3/terraform/tfstate"
    region         = "us-east-1"
    dynamodb_table = "tf-state-locking"
    encrypt        = true
  }

Now initialise terraform so that it changes the backend from local to AWS using the command terraform init enter yes whenever asked.

Your terraform project now uses AWS S3 bucket and DynamoDB as remote backend.

The entire code I wrote for this guide is as follow,

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
  required_version = ">=1.9.1"

  # Configure s3 as backend
  backend "s3" {
    bucket         = "demo-tf-state"
    key            = "global/s3/terraform/tfstate"
    region         = "us-east-1"
    dynamodb_table = "tf-state-locking"
    encrypt        = true
  }
}

# Configure the AWS Provider
provider "aws" {
  region = "us-east-1"
}

# Create s3 bucket to store tfstate file
resource "aws_s3_bucket" "terraform_state" {
  bucket = "demo-tf-state"

  lifecycle {
    prevent_destroy = true
  }
}

# enable bucket version
resource "aws_s3_bucket_versioning" "version_tf_bucket" {
  bucket = aws_s3_bucket.terraform_state.id
  versioning_configuration {
    status = "Enabled"
  }
}

# create kms key for s3 bucket
resource "aws_kms_key" "mykey" {
  description             = "This key is used to encrypt bucket objects"
  deletion_window_in_days = 10
}

# enable bucket encryption
resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
  bucket = aws_s3_bucket.terraform_state.id

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = aws_kms_key.mykey.arn
      sse_algorithm     = "aws:kms"
    }
  }
}

# create dynamodb table for locking mechanism
resource "aws_dynamodb_table" "tf-state-locking" {
  name         = "tf-state-locking"
  billing_mode = "PAY_PER_REQUEST"
  hash_key     = "LockID"

  attribute {
    name = "LockID"
    type = "S"
  }
}

Step 1 : Launch 2 Ubuntu instance with the name ‘Ansible server’ and ‘Target’.

Step 2 : Setup ansible server

For easy and quick connection, I use ‘EC2 instance connect’

Before we start, let’s refresh the local package index by running the following in the EC2 terminal.

sudo apt update

Install Ansible on EC2 server.

sudo apt install ansible -y

Since the ansible server needs to communicate with the target server, we need to make sure they both are accessible. Let’s create a key in both the instances.

In ansible-server, enter the following command.

ssh-keygen

Just press enter until it creates new key-pair. The terminal should look like this.

Go to the directory where the key is located. In my case it is “/home/ubuntu/.ssh/”

cd /home/ubuntu/.ssh/
ls

Let’s view the contents of the file id_ed25519.pub. Copy the contents of the file as well.

cat id_ed25519.pub

Step 3 : Setting up the target.

Now let’s add the public key of ansible-server in authorized keys file of target server.

cd /home/ubuntu/.ssh/
ls
vi authorized_keys

Paste the key which you copied from the last command of previous step.

Press Esc :wq to save and exit the file.

Step 4 : Writing first ansible code.

On the ansible-server, create a file named ‘inventory’ and enter the private IP of the target. (You may use public IP as well)

vi inventory

Save and exit the file.

Let’s run a command which creates a new directory on the target.

ansible -i inventory all -m "shell" -a "mkdir test-dir"

-i inventory - The -i flag specifies the inventory file. The inventory file contains a list of hosts or groups of hosts where Ansible will run the specified command.

all - This refers to all hosts in the inventory file.

-m shell - The -m option is used to specify the module that Ansible should use. In this case, the shell module is used, which allows you to run shell commands on the remote hosts.

-m “shell” - The -m option is used to specify the module that Ansible should use. In this case, the shell module is used, which allows you to run shell commands on the remote hosts.

-a "mkdir test-dir" : The -a flag specifies the argument passed to the module. In this case, the shell command being executed is mkdir test-dir, which creates a directory named test-dir on each of the remote hosts.

Now, if you run ls command on target, you’ll see a new directory is created.

You may explore the command by running similar functions.

Note : You can also group the target IP in inventory file as follow,

[ec2]
172.31.47.117

[database]
33.205.108.149
15.107.96.143

[webserver]
67.20.137.175
38.93.52.161

Here, ec2, database, webserver are the names of the groups. The target ec2 instance is in the group ‘ec2’. To run the command for the group ‘ec2’ only,

ansible -i inventory "ec2" -m "shell" -a "mkdir test-dir"

Note : To run multiple lines of commands, we generally use ansible playbook.

Step 5 : Create a playbook

Let’s create an ansible playbook which installs nginx on target and starts the server.

Create a new directory, for example ‘book’ and create a new file named ‘first.yml’

mkdir book
cd book
vi first.yml

In the first.yml, paste the following code.

---
- name: Install and start nginx
  hosts: all
  become: true

  tasks:
    - name: Install nginx
      apt:
        name: nginx
        state: present
    - name: Start ngnix
      service:
        name: nginx
        state: started

1. ---

This denotes the beginning of a YAML file.

2. - name: Install and start nginx

This is a descriptive name for the playbook. It summarizes what the playbook will do—install and start the Nginx service.

3. hosts: all

This tells Ansible to run the playbook on all hosts specified in the inventory file. You can specify specific host groups if needed.

4. become: true

This enables privilege escalation, meaning Ansible will run the tasks as a superuser (like root). It is required for tasks that need elevated permissions, such as installing packages or starting services.

5. tasks:

This section lists the tasks Ansible will perform. Each task is a step in the automation process.

Step 6 : Run the playbook

To run the playbook enter the following command.

ansible-playbook -i inventory ec2 first.yml

When you want to write complex playbook, use the command ansible-galaxy . For example ansible-galaxy role init kubernetes

• defaults/: Contains default variable definitions for the role.

• files/: Holds static files to be copied to remote hosts.

• handlers/: Defines tasks that are triggered by notifications.

• meta/: Stores metadata about the role, including dependencies.

• tasks/: Contains the main tasks that the role will execute.

• templates/: Contains Jinja2 templates for dynamic file generation.

• tests/: Includes files and playbooks for testing the role.

• vars/: Contains variables specific to the role that shouldn’t be overridden.

• VPC

• Public subnet

• Internet gateway

• Route table

• Security group

• EC2 instance

• Elastic IP

The complete terraform code for this project is available on github

The project folder contains 4 files as represented in the below structure.

simple-ec2-web-server/
├── main.tf
├── providers.tf
├── datasources.tf
└── user-data.tpl

Step 1 : providers .tf

The providers .tf file allows Terraform to connect and interact with AWS Cloud.

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
    }
  }
}

provider "aws" {
  region                   = "us-east-1"
  shared_credentials_files = ["~/.aws/credentials"]
  profile                  = "vscode"
}

Step 2 : datasources .tf

This file is used to provide the latest ec2 instance ami id to the main .tf file.

data "aws_ami" "instance_ami" {
  most_recent = true
  owners      = ["137112412989"]
  filter {
    name   = "name"
    values = ["al2023-ami-2023.5.20240722.0-kernel-6.1-x86_64"]
  }
}

Step 3 : user-data .tpl

We need to provide user data for the ec2, so that it can download and setup server and display the instance's private ip in the webpage.

#!/bin/bash
# Use this for your user data (script from top to bottom)
# install httpd (Linux 2 version)
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "<h1>Hello World from $(hostname -f)</h1>" > /var/www/html/index.html

Step 4 : main .tf

First we need to create a VPC.

resource "aws_vpc" "demo_vpc" {
  cidr_block = "10.0.0.0/16"

  tags = {
    name = "demo-vpc"
  }
}

Then create a public subnet inside the VPC

resource "aws_subnet" "pub_sub_1" {
  vpc_id                  = aws_vpc.demo_vpc.id
  cidr_block              = "10.0.1.0/24"
  availability_zone       = "us-east-1a"
  map_public_ip_on_launch = true

  tags = {
    name = "public-subnet-1"
  }
}

Attach an internet gateway to the vpc

resource "aws_internet_gateway" "demo_internet_gateway" {
  vpc_id = aws_vpc.demo_vpc.id

  tags = {
    Name = "dev-igw"
  }
}

Create a public route table for the vpc

resource "aws_route_table" "demo_public_rt" {
  vpc_id = aws_vpc.demo_vpc.id

  tags = {
    Name = "dev-public-rt"
  }
}

Add a route in the route table which directs 0.0.0.0/0 traffic to internet gateway

resource "aws_route" "default_route" {
  route_table_id         = aws_route_table.demo_public_rt.id
  destination_cidr_block = "0.0.0.0/0"
  gateway_id             = aws_internet_gateway.demo_internet_gateway.id
}

Associate the route table to the subnet

resource "aws_route_table_association" "demo_public_assoc" {
  subnet_id      = aws_subnet.pub_sub_1.id
  route_table_id = aws_route_table.demo_public_rt.id
}

Create a security group for the vpc. It should allow inbound HTTP traffic on port 80 and all traffic for outbound.

resource "aws_security_group" "demo_sg" {
  name        = "dev-sg"
  description = "dev security group"
  vpc_id      = aws_vpc.demo_vpc.id

# Allow only port 80 inbound
  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

# Allow all traffic for outbound
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Create an ec2 instance with user data

resource "aws_instance" "demo" {
  instance_type          = "t2.micro"
  ami                    = data.aws_ami.instance_ami.id
  user_data              = file("user-data.tpl")
  vpc_security_group_ids = [aws_security_group.demo_sg.id]
  subnet_id              = aws_subnet.pub_sub_1.id
}

Output the public ip of instance in the terminal

output "ec2_public_ip" {
  description = "The public IP of the EC2 instance"
  value       = aws_instance.demo.public_ip
}

Create and define the elastic ip is for use in vpc

resource "aws_eip" "elastic_ip"{
    instance = aws_instance.demo.id
    domain = "vpc"
}

Associate the elastic ip with the ec2 instance

resource "aws_eip_association" "eip_assoc"{
    instance_id = aws_instance.demo.id
    allocation_id = aws_eip.elastic_ip.id
}

Output the elastic ip in the terminal (Just for you to know the elastic IP)

output "ec2_eip" {
  description = "The Elastic IP of the EC2 instance"
  value       = aws_eip.elastic_ip.public_ip
}

Step 5 : Result

Now when you access the public IP of the instance OR the elastic IP (both should be the same) from your browser, you'll see similar webpage. (Please note to access the ip in http:// and not https://)