Whether you've created a new wordpress site from scratch via the guide from our friend Hiro who runs awsnewbies. Or you've just made a new AMI from our existing projectreclass.org SSL is a must. It is necessary to securely send data over HTTPS rather than HTTP, not only is it best practice but it improves our visibility and our reputation

Bitnami allows us to configure SSL utilizing Let's Encrypt with their built in tool bncert-tool. Configuring SSL is as easy as running this tool.

Step 1: Open your terminal and SSH into your server

sudo ssh -i my-key.pem bitnami@my.server's.ip.address

Step 2: Run the bncert-tool

Access the tool by utilizing the absolute path

sudo /opt/bitnami/bncert-tool

Step 3: Configure the root domain and the subdomain "www."

When prompted enter the following

projectreclass.org www.projectreclass.org

Step 4: HTTP redirection to HTTPS

The next step will ask if you'd like to forward http requests to https. The answer is yes type y and press Enter

Step 5: Domain vs Subdomain redirect

This next portion will ask if you'd like non-www to redirect to www and vice versa. You can only say yes to one of these options. The decision is yours. I like to redirect www requests to non-www domain. This will result in the following behavior.

If a user types www.projectreclass.org the domain will redirect to projectreclass.org If you'd like you can enable the opposite behavior during this step.

Step 6: Just say Yes!

Bitnami will then tell you it needs to restart the server for the changes to take effect it should only bring the site down for a minute or so. Once it's brought back up you'll see the SSL confirmation you're seeking. Bitnami will also ask for a email address to reference, in this case the address is: admin@projectreclass.org

What does the Reclass Infrastructure look like?

The Infrastructure for project reclass is hosted on AWS. This infrastructure hosts the main website: projectreclass.org as well as the main product at: toynet.projectreclass.org

All of the instances, networking, and services are built out with Terraform the only resources not built via Terraform are the route53 dns entries - the majority of which are and must be managed manually.

While the main website is a simple wordpress site hosted on an EC2 instance and named with an A record on Route53; the toynet infrastructure is a bit more complex this diagram presents a graphical representation of the toynet infrastructure.

The above is a basic represnetation of the toynet infrastructure, it does not include smaller details such as subnets, availability zones, how access is managed, etc.

What is toynet built on?

Toynet is built on top of the mininet technology. The toynet application lives in a docker container and is deployed in an EC2 instance via docker-compose.

How can I push my Terraform code to AWS?

In order to create resources on AWS you will need a vaild access key on your machine, Terraform will automatically read these keys for you as long as your enter them when you run aws configure

The above illustrates the default for an AWS configure, our default region is ohio or us-east-2 and our default output format is json.

Additionally, you'll see the last 4 characters correspond to an AWS Access Key ID and an AWS Secret Access Key yours will be different.

How do I obtain an AWS Access Key?

In order to obtain an AWS access key you'll need an AWS account, access keys can be managed in the IAM section of AWS. Ensure you save the file or store your access keys in a safe place as they will only be viewable simultaneously, once.

Need help logging into a server?

SSH credentials are managed by via AWS OpsWorks, this will allow each user to specify their public key, and utilize their own private key to access each server in a stack!

Further, ensure your user has proper Instance Access

Accessing these docs

Once the space has been enabled and added to a primary channel - this is for gitbook admin alerts - you can access these docs from any channel in the slack organization.

To do this simply run /gitbook [search query] this will send a message to everyone in the channel with the results. You can also do this in private messages, even with yourself.

What is the cloud?

There are two types of clouds those made mostly of water, and those made mostly of Linux servers, we'll be using the latter. In generally, "the cloud" is just a physical server hosted, paid for, and managed by another entity. Virtualization is used to split the resources a physical server to maximum use, and allows multiple entities to build their products on the same physical devices.

Giants such as Google, Microsoft, and Amazon have massive data centers which allow them to promise a higher average uptime than most smaller companies and even individuals to start utilizing their resources for little to no cost.

Why the cloud?

The cloud has little to know upfront costs, automates a lot of otherwise difficult issues, as well as offers an all in one approach making it easy to pivot to new technology or even simply pay for the services or management of something your team may not be prepared to implement themselves.

I firmly believe the cloud is the future and most organizations should move to a hybrid-cloud configuration. The cloud offers more efficiency, reliability, and optimization for the comparable price.

How do I get started with AWS

You can create an account and start creating virtual machines by following the .

How to use the aws cli?

The awscli is one of the most powerful tools that AWS has to offer and offers many options that may be unavailable or non-existent within the graphical environment. After you've created an accoutn you can create a you need to perform operations.

After which you'll need to create and grab the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY . You will add these credentials to your machine by running:

You'll also have the option to enter the region and default preferred output.

Migrating the projectreclass.org domain

Beginning April 2021 AWS no longer allows domain transfer between AWS accounts via GUI. Thereby, the aws CLI must be utilized. Utilize this guide to install the AWS CLI.

Configure access to AWS. Ensure the permissions allow you to make changes to Route53

Initiate the domain transfer:

$ aws route53domains transfer-domain-to-another-aws-account --domain-name projectreclass.org --account-id ${YOUR-NEW-ACCOUNT-ID}

First you'll need to run aws configure again in order to switch to the accepting account

Next you must accept the transfer

$ aws route53domains accept-domain-transfer-from-another-aws-account \
    --domain-name projectreclass.org \
    --password ${password}

After the domain transfer has been accepted, you'll need to create a new hosted zone or import the old hosted zone into the new account.

It is important to note that transferring a domain does not break any existing DNS records, this is due to the nameservers still being owned and operated by the original hosted zone, and by extension Route53. AWS explicitly tells us that the domain adn the DNS records do not need to be owned by the same account for routing to occur. While importing the hosted zone is likely the easiest way to migrate the domain, you may want to migrate and create records at your own pace. If this is the case remember you'll need to create a new hosted zone for the domain, remember to update the NS for the domain under Route53 -> Domains -> ${DOMAIN-NAME} in the graphical environment.

Migrating the projectreclass.org website

In order to migrate the website in it's current state, create an AMI of the EC2 instance in which it is hosted, make this AMI private.

To create the AMI go to the EC2 list select the server you'd like to make an image from and go to Actions -> images and templates -> create image

Fill out the AMI image name and descritpion, enable no reboot if uptime is a must and then click "create image":

You'll be able to find a list of all AMI images on the sidebar under Images -> AMI

Finally select your AMI go to the permissions, and allow access to the new AWS Account by entering the new Account ID. Then you'll be able to access and launch the image. It'll be under the same sidebar Images -> AMI and under the "Private" filter

Once the domain and image have been properly trasnferred add an A record pointing the domain projectreclass.org -> ${ip.ip.ip.ip} to the new IP address of the newly launched server

Migrating the Toynet Infrastructure

Assuming everything has gone well thus far, migrating toynet should be simple. Toynet is deployed automatically utilizing Terraform code.

 github clone https://github.com/Project-Reclass/infrastructure.git
 cd ./infrastructure/terraform/toynet/production
 terraform init
 terraform apply toynet-deployment-production.tf

What is Buddy Bot?

Buddy bot is a lightweight tool written in Typescript that reminds Reclass members to clock in and out with style.

How to use buddy bot

Like all our greatest tools, buddy bot runs in a docker container and can be pulled from our repo:

docker pull projectreclass/buddy-bot:latest

Running Buddy Bot

First you'll need to mount a file to buddy bot you can use our default config by running wget on the following: https://raw.githubusercontent.com/Project-Reclass/buddy-bot-slack/master/default-config.json

From here you can mount the file to image:

docker run -d -v $(pwd)/default-config.json:/app/dist/default-config.json \
-e $SLACK_TOKEN --name buddy-bot projectreclass/buddy-bot:latest

What is a command?

A command is tool in the terminal that typically accepts options and arguments. The syntax is generally command [options] (arguments) many commands can be run with or without arguments and most can be run without options in this instance we'll utilize ls as our example.

ls 
# without any arguments this list all files in the current directory
# output will look like the following: 
directory1 directory2 file1 file2 

# ls can be run with options one example is the all option
# all can be run as such 

`ls --all` OR `ls -a`
# Options typically have long and short forms. The short form is called 
# with a single `-` while the long form is called with a double `--`
# without an argument this will still list items in the current directory
# however this option will also show hidden files
# the ouput will be similar to the following: 
.bashrc .hiddendirectory .hiddenfile .ssh directory1 directory2 file1 file2

# you can also call ls with both options and an argument let's look into 
# our directory1 directory 

ls -a directory1
# this is an empty directory so the only results will be the directory
# itself `.` and the reference to the directory before it `..`
./ ../ 

Why Go?

Go is a powerful language that powers the infrastructure that Project Reclass runs on. Docker, Kubernetes, Terraform, Vault, and even our chatbots are written in Go. Having even a basic understanding of the language can assist in making important infrastructure decisions, and interacting with the tools we utilize. Go also has a very large, friendly and diverse community.

Installation

First you'll need to install Golang, you can do so here. Go is often also found in most package managers so you can install it using the default manager for your system.

Follow the below instructions to properly finish setup on your Linux System

rm -rf /usr/local/go && tar -C /usr/local -xzf go1.16.5.linux-amd64.tar.gz
# Remove any previous versions of go and unzip the new version

export PATH=$PATH:/usr/local/go/bin
# Add Go to your $PATH

go version
# You should be able to run this from anyway and get the most recent version

Writing the Code

Create a file named main.go and add the following:

// this is a comment

package main // You'll always need a package name this is usually main

import (
    "fmt" // "fmt" is the format package and contains the Println func
)

func main() { // You'll need a main function to run your code
    fmt.Println("Hello, Project Reclass") //Println prints to stdout and formats
}

Save your code and run go run main.go

More Resources

There are several solid resources for go the docs page being a great goto

Other tools I like are gobyexample and Learn Go with Tests

Finally, check out the Go Playground and Play with Go

Check out your new networking buddy https://www.toynet.projectreclass.org

Getting Started

• Running in Development

• Testing PRs

• Testing Master

• Available Scripts

• Recommended IDE Plugins

• Learn More

Because toynet uses multiple services, docker-compose was introduced to help start each services and connect them on local machines. Docker compose port maps each service running (e.g. frontend and backend). The frontend application when used in a docker container normally runs on port 80, however, docker-compose maps port 3000 of the local machine to port 80 on the container. For the backend, it normally exposes port 8000 in the container, because port 8000 is not a system port, the docker-compose just maps port 8000 to port 8000 on the local machine.

This port mapping is represented in the docker-compose as

services:
  backend:
    ...
    ports:
      - "8000:8000"
# or
  frontend:
    ...
    ports:
      - "3000:80"

backend -> 8000 frontend -> 3000

Dependencies

The below software is required in order to get setup to run toynet-react.

• Git (Install Guide)

• Docker (Install Guide)

• Docker-Compose (Install Guide)

• Node.js and NPM (Install Guide)

Running in Development

Because there are two parts to toynet there is a docker-compose that is useful to get started developing as a fast as possible.

To start

$ git clone https://github.com/Project-Reclass/toynet-react.git
$ cd toynet-react

The docker-compose file can then be run in the background using

$ docker-compose -f docker-compose.dev.yml up -d --build

Before starting the frontend of toynet you will need to install all the dependencies. This can be done using

After the docker-compose starts up you can start toynet-react for development using

and navate to http://localhost:3000.

Testing Pull Requests with Docker Compose

Testing pull requests can be done without cloning down or checking out the pull request on the local machine. Because toynet-react uses docker-compose pull-requests can be previewed by just using the docker-compose file.

For Linux run

$ wget https://raw.githubusercontent.com/Project-Reclass/toynet-react/master/docker-compose.yml

On Windows (Powershell) run

$ wget https://raw.githubusercontent.com/Project-Reclass/toynet-react/master/docker-compose.yml -Outfile docker-compose.yml
# or
$ Invoke-WebRequest https://raw.githubusercontent.com/Project-Reclass/toynet-react/master/docker-compose.yml -Outfile docker-compose.yml

Edit the docker-compose.yml file to include the GitHub PR id.

services:
  ...
  frontend:
    build: https://github.com/Project-Reclass/toynet-react.git#pull/{pull-request-number}/head
    # e.g. https://github.com/Project-Reclass/toynet-react.git#pull/14/head

And then run

$ docker-compose up --build

The PR app can then be previewed at http://localhost:3000

Testing the Master Branch

The master or default branch can be tested in much the same way that PR previews can be tested.

$ wget https://raw.githubusercontent.com/Project-Reclass/toynet-react/master/docker-compose.yml

Edit the docker-compose.yml file use master or the default branch instead of a PR id.

services:
  ...
  frontend:
    build: https://github.com/Project-Reclass/toynet-react.git#master
    # e.g. instead of https://github.com/Project-Reclass/toynet-react.git#pull/14/head

And then run

$ docker-compose up --build

The app can then be accessed at http://localhost:3000.

IDE Plugins

Some plugins that you might find helpful are

• ESLint

• React

• VSCode Styled Components

Available Scripts

In the project directory, you can run:

• npm run start - Runs the app in the development mode. Open http://localhost:3000 to view it in the browser. The page will reload if you make edits. You will also see any lint errors in the console.

• npm test - Launches the test runner in the interactive watch mode. See the section about running tests for more information.

• npm run style:fix - Fixes any automatically fixable ESLint errors.

• npm run style:check - Checks and displays any ESLint errors.

• npm run check-types - Checks all typescript types to ensure correct typing.

• npm run build - Builds the app for production to the build folder. It correctly bundles React in production mode and optimizes the build for the best performance. The build is minified and the filenames include the hashes. Your app is ready to be deployed!

See the section about deployment for more information.

Learn More

You can learn more in the Create React App documentation. To learn React, check out the React documentation.

Contributors

• Sammy Tran

• Yi Yang

• Scott Richardson

Attach An Elastic IP

First, you'll want to create and associate an Elastic IP address to the Vault server. You'll utilize this IP address to interact with the vault server as well as the GUI.

Create a A record in Route53 connecting the new Elastic IP to yournew domain name in my case it was vault.projectreclass.org

Install Vault

There will be many conflicting solutions to this especially since most guides are older and prompt you to install the zip file, this is not necessary. Simply follow the official guide for your OS/distribution.

Vault makes installation easy as long as you have a valid network connection no need to complicate it further than this.

Configure Vault

A default configuration should be autocreated for you in /etc/vault.d/vault.hcl I like to start by copying this into a config.hcl

sudo cp /etc/vault.d/vault.hcl /etc/vault.d/config.hcl

Next, you'll update the config.hcl to have the following:

# Full configuration options can be found at https://www.vaultproject.io/docs/configuration

ui = true # Enables the web interface

mlock = true
disable_mlock = true

storage "s3" { # Preferred backend is S3
  bucket = "projectreclass-vault" # Bucket must already exist this is the name
  region = "us-east-2" # Preferred region for production
}

#storage "consul" {
#  address = "127.0.0.1:8500"
#  path    = "vault"
#}

# HTTP listener
#listener "tcp" {
#  address = "127.0.0.1:8200"
#  tls_disable = 1
#}

# HTTPS listener
listener "tcp" { # Always utilize https
  address       = "0.0.0.0:8200" # Listens on any IP on default vault port 8200
  tls_cert_file = "/etc/letsencrypt/live/vault.projectreclass.org/fullchain.pem" #We'll get into how to create these certs later
  tls_key_file  = "/etc/letsencrypt/live/vault.projectreclass.org/privkey.pem"
}

# Example AWS KMS auto unseal
seal "awskms" { # unseals vault on start up
  region = "us-east-2" # Our preferred production region
  kms_key_id = "${YOUR_KMS_KEY_ID_GOES_HERE}"
}

# Example HSM auto unseal
#seal "pkcs11" {
#  lib            = "/usr/vault/lib/libCryptoki2_64.so"
#  slot           = "0"
#  pin            = "AAAA-BBBB-CCCC-DDDD"
#  key_label      = "vault-hsm-key"
#  hmac_key_label = "vault-hsm-hmac-key"
#}

Create A Let's Encrypt Certificate

We need a certificate to enable SSL/TLS all vault communication should happen over HTTPS not HTTP this is how we accomplish that. To start you'll need the CLI tool certbot. The following is for an Ubuntu Image follow the official guide to install certbot for your distubution.

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

Next we'll create the actual certificate

sudo certbot certonly --standalone -d vault.example.com

And that's it the certificate and keys you'll need will be in the following location

Cert: /etc/letsencrypt/live/vault.example.com/fullchain.pem
PrivKey: /etc/letsencrypt/live/vault.example.com/privkey.pem

As you can see these are the same locations as configured in the config.hcl file

Make Vault A Service

Before we start and initialize vault, we'll do some future planning by making it a service.

To do so create a file in /etc/systemd/system/ and create a file named vault.service It should have the following configuration

[Unit]
Description=vault service # Name of the service
Requires=network-online.target # requires network connection
After=network-online.target 
ConditionFileNotEmpty=/etc/vault.d/config.hcl # requires config.hcl file in /etc/vault.d/

[Service]
EnvironmentFile=-/etc/sysconfig/vault
Environment=GOMAXPROCS=2
Restart=on-failure
ExecStart=vault server -config=/etc/vault.d/config.hcl # Actual vault command executed
StandardOutput=/var/log/vault-output.log
StandardError=/var/log/vault-error.log
LimitMEMLOCK=infinity
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGTERM

[Install]
WantedBy=multi-user.target

After this file is created you'll enable and start the service

sudo systemctl enable vault.service
sudo systemctl start vault.service
# To check if the service is running properly
sudo systemctl status vault.service

At this point vault is likely locked. To unlock it you'll need to enter 3 of the 5 keys it generates. This is the default behavior for vault. To obtain these keys run:

vault operator init

There are two main ways to enter the keys to unlock vault. The first is via the GUI. You should be able to access this by visiting the public IP address of the host machine on port 8200 (e.g. https://127.0.0.1:8200 )

Once Vault is unlocked it should be unlocked every time you start the config with the S3 backend, this is true even when new vault servers are created as long as they refer to the same backend.

You can login with the root token you generated previously. You should now be able to create, manage, and utilize secrets.

Register an Instance

Ensure your IAM user has the proper policy configuration to register an instance. This can be a preexisting instance. I performed the registration via command line so I needed the permission: AWSOpsWorksRegisterCLI_EC2

Next, I ran the registration command:

$ aws opsworks register --use-instance-profile  \
--infrastructure-class ec2 \
 --region us-east-2  \
 --stack-id a08f26f4-4362-4f34-9d57-71492e210e43 \
 --ssh-username [username] \
 --ssh-private-key [private-key-path] i-0aa4b421d6fe86cb8

Once your instance is registered ensure your IAM user has been uploaded to the stack in the user section:

From this page you can also edit your user, change the permissions to allow SSH access, as well as sudo permissions if necessary. Finally, you can upload your own public key to this user!

Using an Instance Profile

If you want to register your instance with the use-instance-profile argument in the command above, you must create an instance profile as an IAM role and assign it to both the instance you are registering and the stack. (You can add it to a stack that already exists by editing its settings, or include this information in your new stack under "Default IAM Instance Profile".)

Ensure that the IAM role has permission to register an instance in Ops Works, and is the same for the instance and the stack. AWS Ops Works will use this profile for registration instead of creating a new one.

What is Docker?

Docker is a container runtime, ultimately run on containerd. Docker is a packaged and more user friendly version with a graphical interface as well as a command line interface suite. Although it has many challengers and potential usurpers, docker remains the go-to tool for containers.

What is a container?

An oversimplification is that a container can be thought of as a much smaller VM. In general VM's require virtualization at the hardware level, hosts an entire OS complete with it's own kernel. A container on the other hand can share resources with it's hosts, leverages user-space a bit better, and can often run only what is necessary for the application. Ultimately, a container is more portable, and consistent than a VM and helps to eliminate the "it worked on my machine" issue.

How do I learn to use Docker containers?

First you'll need to install docker to ensure docker has installed properly you can run your first container with.

docker run -d -p 80:80 docker/getting-started

This will take you through the official guide for docker, and truthfully it's a great tool! It should be accessible via localhost in your browser.

How to use vim

Vim allows you edit files, it'll also create any files that don't exist and open them for editing. Typing vim [filename] is the same as typing touch [filename] followed by vim [filename] you still open an empty file for editing. Let's start by creating and editing a file.

Now that we're in our file we need to enter insert mode this is simple within vim but not intuitive. Simply press i . This will change us from command mode to insert mode we'll type two things: our shebang line to inform our OS how to execute our script #!/bin/bash and our code underneath it echo "Hello World"

So now that we've written our first script. How do we save it? You'll first need to enter command mode to do this press the [escape] key on your keyboard. If you do not have one for some reason you can hold the [control] + [ key at the same time.

Once you've entered command mode you won't be able to edit text in the same way. There are several keybindings so don't start pressing random keys.

Once you've entered command mode you'll need to type the colon key : this should show up at the bottom of the editor.

Once the colon is present you can type wq to save your changes and exit vim.

The 3 Permission groups

By now you've been running ls -l or other commands and writing scripts, and are wondering what exactly are linux permissions. Everything in Linux is considered a file this allows everything to be managed by the same file permissions there are 3 basic groups for permissions.

So there are three main entities: the Owner of the file this is typically the original creator. The Group this is typically the same primary group as the owner. And other or all this is everyone and thing on the system that is not either the owner or in the approved group. Owner and user will be used interchangeably here.

Further there are three main levels of permissions. Read which only allows a user/group to read a file. Write which allows a user/group to make changes a file. And execute which is required for users/groups to run scripts and enter directories.

Each of these permission levels also has a corresponding number. A user/group with all three permissions would have a value of 7 - the highest. And a user/group with the lowest permission would have a vaule of 1 - the lowest. This may be confusing as there are only 3 permission levels but the break down is as follows.

So you see if a user/group has read, write, and execute permissions for a file they have a vaule of 7. If they only have read and write for a file they would have a value of 6. Despite having a value of 6 a user would still not be able to execute a script or enter a directory without the execute permission level.

Changing the permission level. If the numbers confuse you, you can also set a file permission using the corresponding levels.

Setting permissions with numbers. Truthfully, I believe this to be simpler. Please utilize the above table to follow along. Try to predict the output!

Our first script

First open your favorite text editor and create file named hello.sh

Save the file and exit your text editor.

We'll update our file permission to make the file executable:

Once the script has been made executable it can be run

If you do not recieve the expected output double check the directory, and the permissions of the file, the permissions for the file should be as such.

What we're looking for in this case is the x on the left side of the permissions. For more info on permissions refer to the permissions page below.

Regular user creation

There are many types of users on a Linux system. Regular, system, and the all powerful super user. However, this guide is about making regular users. And giving them permissions to do things.

In order to create and mange users you'll need to use sudo or be root

To create a user named bob:

The user is not alive but they don't have password! Therefore, won't be able to login.

To give the user a password:

Once the user is created and a password is set you'll be able to login as bob

User bob has logged in but doesn't show up in the sudoers file let's troubleshoot:

Since we are utilizing a Redhat Distribution we need to add bob to the wheel group.

Enter the `usermod`

Usermod is a command that allows you to change the attributes of a user, generally this utilized to change either the primary group or add groups to the user to allow them certain permissions. The most popular is adding people to the pre-verified sudo group.

The syntax for usermod is like any other built-in command: command [options] (arguments) in the case of usermod the order of arguments is groups desired to be added followed by the user.

Now that we know our distribution, sudo group, and user to be changed we can give bob the permissions he needs.

Deleting a user

We've given bob a lot of power, the same as us. If bob were to run sudo -i or sudo su - and actually become root he could do whatever he likes. Even more concerning is that bob has quit and now his user on the system needs to be removed. Leaving a user like bob who can utilize sudo is a threat to our security posture.

To clean up bob's home directory, mail directory, groups, and permissions:

The filesystem is the configuration of your system, in linux everything is a file, this makes it easier to interact with all resources on your system, everything will have permissions, and be able to be interacted with in the same basic ways. In order to successfully utilize the terminal you'll need to understand how to traverse the filesystem.

Begin by opening a terminal. The application should already be installed on your machine. The first thing you'll see is the following:

Who are you?

How to see where you are:

What is in here?

How to change locations

How to create a file:

How to remove a file:

How to go back a directory:

Who or what is a super user?

In Linux the super user or administrator account is called root. By default when configuring a system the default user will have the ability to become root.

How do I become root?

There are multiple ways to become or imitate root.

You can become root by running sudo su - or sudo -i

However, because the root account has not limitations; critical issues can occur from simple typos as such it is preferred to imitate or impersonate root.

The preferred method is to utilize sudo before your commands to run them with root priviliges as needed. Avoid becoming root whenever possible instead do something like:

Why can't I run sudo?

If you're attempting to utilize sudo but are running into an error that says something along the lines of :user is not in the sudoers file this incident will be reported then this indicates that your user is not in the proper group to have sudo permissions. Please note that you may alter the sudoers file utilizing visudo to add your user but that is not advised.

Instead you'll need to become root by typing su - and entering root's password - not your user's password.

Once you have successfully authenticated and become root you'll need to add your user to the proper group:

Set Access Credentials for AWS

Configure your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY with the following

aws configure

This example terraform code should give you an idea of how to create resources in this case we'll be making an EC2 Instance

# Set your provider and region in this case AWS and Ohio 
provider "aws" {
    region = "us-east-2"
}

resource "aws_instance" "my-first-instance" { # resource first then custom name
    ami           = "123gd4df5678a" # image ID is necessary to tell AWS what to build
    instance_type = "t2.nano" # this is the size of the VM. This size is free tier
    key_name      = "My-first-key" # this will tell AWS which key to use, it must already exist
}
    
    # It's important for readability to have equal signs in a resource align
    # Not doing so may cause issues in running this code
    
    # Save and exit this file and run `terraform init` followed by `terraform apply main.tf`
    

Using a Terminal

First open a terminal. You'll need to know or posess the credentials for a user on the remote machine you're attempting to reach

ssh user@127.0.0.1

Within AWS you'll need an ssh key. You can create and download this via the AWS GUI when launching an instance. When you download your .pem file it'll show up in your downloads folder it is recommended you move this to the .ssh directory and updating the permissions. If the permissions aren't updated you won't be able utilize the private key.

mv ~/Downloads/*.pem ~/.ssh/ # mv is move, it moves a file from one 
# location to another. In this case from Downloads to .ssh
cd ~/.ssh
chmod 600 key.pem # change the permissions to user read and write only
ssh -i key.pem ec2-user@127.0.0.1 # execute the command to login

How to SSH with Putty

You should only need to utilize putty in the absence of a terminal. Terminals are built in to all operating systems except Windows. Putty is specifically for ssh from a windows client. All other OS (i.e. linux, bsd, macOS) should follow the instructions above

Within AWS you'll need an ssh key. You can create and download this via the AWS GUI when launching an instance. When you download your .pem file it'll show up in your downloads folder it is recommended you move this to the .ssh directory and updating the permissions. If the permissions aren't updated you won't be able utilize the private key.

Download Putty

You'll also want to grab PuTTyGen as well, AWS will provide you with a .pem file. In order to utilize PuTTy for SSH you'll need to convert this file to a private key.

Open PuTTyGen upload your .pem file from AWS and split the key into a public/private key pair. Store this someone easy to remember, but secure as you'll add the file path to Putty.

Once you've downloaded and launched Putty. Go to the sidebar and expand the SSH and Auth options. You'll then click browse and navigate the location of your newly created privatekey.ppk file.

Afterwards navigate back to the Session tab. You'll be able to enter the IP address of the server under the "Host Name (or IP address) section as well as the SSH port under the "Port" section. For us it'll be the default of 22. Ensure your connection type is SSH

Click open to launch the server and enter the username associated to your key.