Terraform for AWS and Commvault

In the previous post I discussed how to use the AWS CLI to prepare your AWS environment for Commvault. Specifically, I discussed how to prepare for configuring an AWS-based Cloud Library in Commvault as certain tasks should be completed prior. The aws cli can be scripted as well but a simpler solution is to use Terraform. I highly recommend reading the following Getting-Started Link to get yourself more familiar with Terraform as it is quite simple. I was able to configure and test on my my Mac using brew install terraform. I already have an aws cli profile setup so it is not necessary to specify any account specifics in the Terraform.

Below is the Terraform to configure a new EC2 Instance, S3 Bucket, along with associated EC2 Instance Profile trust policy permissions to S3. Commvault can then be installed/configured and a new Cloud Library configured with the new EC2 MediaAgent.

It is necessary to modify the following variables. In addition, other variables can be changed as required.

Modify the following:

• bucket name
• vpc_id
• CIDR blocks to be more restrictive for ingress
• Your ami should match your ami-id
• Your key pair name should match your key pair
• Your Instance Type should match your requirements

Terraform for Commvault

provider "aws" {
  region = "us-west-1"
}

resource "aws_s3_bucket" "b" {
  bucket = "YourBucketName"
  acl    = "private"

}

resource "aws_security_group" "allow_cv" {
  name        = "allow_cv"
  description = "Allow Commvault inbound traffic"
  vpc_id      = "vpc-YourVPCID"


  ingress {
    # TLS (change to whatever ports you need)
    from_port   = 8400
    to_port     = 8403
    protocol    = "tcp"
    # Please restrict your ingress to only necessary IPs and ports.
    # Opening to 0.0.0.0/0 can lead to security vulnerabilities.
    cidr_blocks = ["0.0.0.0/0"]
  }

    ingress {
      # SSH
      from_port   = 22
      to_port     = 22
      protocol    = "tcp"
      # Please restrict your ingress to only necessary IPs and ports.
      # Opening to 0.0.0.0/0 can lead to security vulnerabilities.
      cidr_blocks = ["0.0.0.0/0"]
    }

    ingress {
      # SSH
      from_port   = 3389
      to_port     = 3389
      protocol    = "tcp"
      # Please restrict your ingress to only necessary IPs and ports.
      # Opening to 0.0.0.0/0 can lead to security vulnerabilities.
      cidr_blocks = ["0.0.0.0/0"]
    }

  egress {
    from_port       = 0
    to_port         = 65535
    protocol        = "tcp"
    cidr_blocks     = ["0.0.0.0/0"]
  }
}


resource "aws_iam_instance_profile" "cvprofile" {
  name = "cvprofile"
  role = "${aws_iam_role.cvrole.name}"
}

resource "aws_iam_role_policy" "cvpolicy" {
  name = "cvpolicy"
  role = "${aws_iam_role.cvrole.id}"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:CreateBucket",
        "s3:ListAllMyBuckets",
        "s3:PutObject",
        "s3:GetObject",
        "s3:PutObjectTagging",
        "s3:DeleteObject"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

resource "aws_iam_role" "cvrole" {
  name = "cvrole"

  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Service": [
            "ec2.amazonaws.com"
          ]
      },
        "Action": "sts:AssumeRole"
    }
    ]
  }
EOF
}

resource "aws_instance" "CVMediaAgent" {
  ami           = "ami-YourAmiID"
  instance_type = "t2.medium"
  iam_instance_profile = "${aws_iam_instance_profile.cvprofile.name}"

  security_groups = [ "allow_cv" ]
  key_name = "YourKeyPair"
}