The assumption is you already have an AWS account set-up, if not, you’ll want to sign up for an account before proceeding.
Manual set-up steps
Before diving into Terraform and actually deploying our application, we have a few one time set-up steps to address:
- Create an AWS access key.
- Create an ECR repository for the docker image we created in part 1 .
- Upload the docker image to ECR.
- Create AWS Secrets Manager entries for our
secret key base,
- Create a key-pair so that we can SSH into our server on AWS once it has been provisioned.
Let’s get at it!
Create an AWS access key
In order to interact with AWS we’re going to need an access key. We can create an access key via the
After logging into the AWS Console just search for and navigate to the IAM home page.
Then click on
On the Users page select
I’ll create a temporary user for this post, we want to select programmatic access for the user.
We’ll make this user an Administrator, this can be done by creating / selecting a group with Administrator Access.
Next on the tags screen and create the user.
.csv file containing the access key / secret credentials as we’ll need these values in the future.
And with that we are ready to create the ECR repository.
Create an ECR repository
In theory we could create the repository via Terraform, but I’m not sure it makes much sense to do so as it’s really a prerequisite of the deployment, so we’ll just create the repository manually. It’s a very simple process, after logging into the AWS Console just search for and navigate to the ECR home page.
From the ECR home page, select
Create repository and then select a name for the repository, we’ll use
We now have a repository for our docker image.
Upload the docker image
Let’s tag and upload the docker image we created in part 1. You’ll need to have the AWS CLI installed in order to upload the image to ECR. If you’re on MacOS, you may want to use Homebrew to install the
CLI… it’s been awhile since I’ve had to install it, but I believe
Homebrew was the easiest option.
You’ll need to replace
<ECR URI> with the actual value for your ECR repository, i.e in my case it would be:
Note: you’ll also need to update the region value if you are using a region other than
After the image has finished uploading, you’ll see it in the ECR repository.
Now that the docker image has been uploaded, the next step is to securely store sensitive environment settings for our application. We’ll do so with AWS Secrets Manager.
AWS Secrets Manager
If you recall from part 1 we have a number of run time settings which we are passing to our docker image. We could specify these directly in our deployment scripts, but that would present a potential security issue. We don’t really want the
database user or
database password values stored in plain text in our deployment scripts.
There are a number of solutions to this, sometimes these values are stored / managed with the CI process / tool being used, but in our case we’ll use AWS Secrets Manager.
Store a new secret.
Then select “
Other type of secrets” and add the
secret_key_base. You’ll want to generate the
value by running
mix phx.gen.secret. You can use any
key you want, but for following along it will be easiest if you use the same key as me for all the secrets, i.e. in this case
We’ll pretend we are creating a
QA environment, so we’ll name the secret appropriately (
Click next, and then next again on the following screen (keeping the defaults, i.e. don’t enable auto rotation), and click
Store on the following page.
Follow the same process for the
database user and
database password fields. I used the following values, and again it will be easiest if you use the same
After adding the above, you should have the following three AWS secrets.
Secrets done! One final step and we’re done with our prerequisites.
Create a key pair
Creating a key pair will allow us to SSH into our AWS server once it is provisioned. This can be handy for inspecting the docker logs or just in general trouble-shooting issues.
Creating a key pair is simple, just navigate to
Select key pairs:
And create and download a new key pair.
Make note of where the
.pem file is located on your local machine. You’ll need it, should you want to SSH into the server once it is provisioned.
That does it for prerequisites, a pretty short post today, next time out will be more exciting, we’ll finally be deploying our application… see you then!
Thanks for reading!