# Amazon App Deployment: A DevSecOps Approach with Terraform and Jenkins CI/CD | Docker |

#### Git Hub Link : ``` https://github.com/Bhushan0151/Amazon-FE.git ``` ### Use the below Blog to install Terraform and Aws cli AWS CLI - Terraform -

## **Step1: create an IAM user** Search for IAM -> Click "Users" -> Click "Add users" -> Click the "User name" field. -> Type "Terraform" or as you wish about the name -> Click Next -> Click "Attach policies directly" Click this checkbox with Administrator access -> Click "Next" -> Click "Create user" -> Click newly created user -> Click "Security credentials" -> Click "Create access key" -> Click this radio button with the CLI -> Agree to terms -> Click Next -> Download .csv file

## Step2: Aws Configure Go to vs code or Cmd your wish ``` aws configure ```

Provide your Aws Access key and Secret Access key ## Step3: Terraform files and Provision Jenkins,sonar ### main.tf

```` ``` resource "aws_instance" "web" { ami = "ami-07b36ea9852e986ad" #change ami id for different region instance_type = "t2.large" key_name = "Ohio-pem" vpc_security_group_ids = [aws_security_group.Jenkins-sg.id] user_data = templatefile("./install.sh", {}) tags = { Name = "Jenkins-sonarqube" } root_block_device { volume_size = 30 } } resource "aws_security_group" "Jenkins-sg" { name = "Jenkins-sg" description = "Allow TLS inbound traffic" ingress = [ for port in [22, 80, 443, 8080, 9000, 3000] : { description = "inbound rules" from_port = port to_port = port protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] ipv6_cidr_blocks = [] prefix_list_ids = [] security_groups = [] self = false } ] egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "jenkins-sg" } } ``` ```` ### provider.tf ``` terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 5.0" } } } # Configure the AWS Provider provider "aws" { region = "us-east-2" } ```

### install.sh ``` #!/bin/bash sudo apt update -y sudo apt install fontconfig openjdk-17-jre -y sudo wget -O /usr/share/keyrings/jenkins-keyring.asc \ https://pkg.jenkins.io/debian/jenkins.io-2023.key echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] https://pkg.jenkins.io/debian binary/ | sudo tee /etc/apt/sources.list.d/jenkins.list > /dev/null sudo apt-get update -y sudo apt-get install jenkins -y sudo systemctl start jenkins sudo systemctl status jenkins sudo systemctl enable jenkins #install docker sudo apt-get update sudo apt-get install docker.io -y sudo usermod -aG docker ubuntu newgrp docker sudo chmod 777 /var/run/docker.sock docker run -d --name sonar -p 9000:9000 sonarqube:lts-community #install trivy sudo apt-get install wget apt-transport-https gnupg lsb-release -y wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list sudo apt-get update sudo apt-get install trivy -y ```

## **Terraform commands to provision** ``` terraform init terraform validate terraform plan terraform apply ```

### **OUTPUT**** ****-**

``` #jenkins ```

**SonarQube -** Copy your Public key again and paste it into a new tab ```

**Check trivy version** ``` trivy --version ``` ## **Step 4 — Install Plugins like JDK, Sonarqube Scanner, NodeJs, OWASP Dependency Check** ### **4A — Install Plugin** Goto Manage Jenkins →Plugins → Available Plugins → Install below plugins 1 → Eclipse Temurin Installer (Install without restart) 2 → SonarQube Scanner (Install without restart) 3 → NodeJs Plugin (Install Without restart)

### **4B — Configure Java and Nodejs in Global Tool Configuration** Goto Manage Jenkins → Tools → Install JDK(17) and NodeJs(16)→ Click on Apply and Save

## **Step 5 — Configure Sonar Server in Manage Jenkins** Grab the Public IP Address of your EC2 Instance, SonarQube works on Port 9000, so \:9000. Goto your Sonarqube Server. Click on Administration → Security → Users → Click on Tokens and Update Token → Give it a name → and click on Generate Token -> copy Token

Goto Jenkins Dashboard → Manage Jenkins → Credentials → Add Secret Text. It should look like this

Now, go to Dashboard → Manage Jenkins → System and Add like the below image.

Click on Apply and Save **The Configure System option** is used in Jenkins to configure different server **Global Tool Configuration** is used to configure different tools that we install using Plugins We will install a sonar scanner in the tools.

In the Sonarqube Dashboard add a quality gate also Administration--> Configuration-->Webhooks

``` #in url section of quality gate /sonarqube-webhook/ ``` ### Let's go to our Pipeline and add the script in our Pipeline Script. ``` pipeline{ agent any tools{ jdk 'jdk17' nodejs 'node16' } environment { SCANNER_HOME=tool 'sonar-scanner' } stages { stage('clean workspace'){ steps{ cleanWs() } } stage('Checkout from Git'){ steps{ git branch: 'main', url: 'https://github.com/Bhushan0151/Amazon-FE.git' } } stage("Sonarqube Analysis "){ steps{ withSonarQubeEnv('sonar-server') { sh ''' $SCANNER_HOME/bin/sonar-scanner -Dsonar.projectName=Amazon \ -Dsonar.projectKey=Amazon ''' } } } stage("quality gate"){ steps { script { waitForQualityGate abortPipeline: false, credentialsId: 'Sonar-token' } } } stage('Install Dependencies') { steps { sh "npm install" } } } } ``` ### Click on Build now, you will see the stage view like this

To see the report, you can go to Sonarqube Server and go to Projects.

## **Step 6 — Install OWASP Dependency Check Plugins** GotoDashboard → Manage Jenkins → Plugins → OWASP Dependency-Check. Click on it and install it without restart.

### First, we configured the Plugin and next, we had to configure the Tool Goto Dashboard → Manage Jenkins → Tools →

Click on Apply and Save here. ### Now go configure → Pipeline and add this stage to your pipeline and build. ``` stage('OWASP FS SCAN') { steps { dependencyCheck additionalArguments: '--scan ./ --disableYarnAudit --disableNodeAudit', odcInstallation: 'DP-Check' dependencyCheckPublisher pattern: '**/dependency-check-report.xml' } } stage('TRIVY FS SCAN') { steps { sh "trivy fs . > trivyfs.txt" } } ```

### The stage view would look like this,

## **Step 7 — Docker Image Build and Push** We need to install the Docker tool in our system, Goto Dashboard → Manage Plugins → Available plugins → Search for Docker and install these plugins `Docker` `Docker Commons` `Docker Pipeline` `Docker API` `docker-build-step` and click on install without restart

Now, goto Dashboard → Manage Jenkins → Tools →

Add DockerHub Username and Password under Global Credentials

### Add this stage to Pipeline Script ``` stage("Docker Build & Push"){ steps{ script{ withDockerRegistry(credentialsId: 'docker', toolName: 'docker'){ sh "docker build -t amazon ." sh "docker tag amazon bhushann11/amazon:latest " sh "docker push bhushann11/amazon:latest " } } } } stage("TRIVY"){ steps{ sh "trivy image bhushann11/amazon:latest > trivyimage.txt" } } ``` #### Stage View -

You will see the output below, with a dependency trend.

When you log in to Dockerhub, you will see a new image is created

Now Run the container to see if the game coming up or not by adding the below stage ``` stage('Deploy to container'){ steps{ sh 'docker run -d --name amazon -p 3000:3000 bhushann11/amazon:latest' } } ``` ### Stage view

``` ``` ### You will get this output

## Let's destroy everything Go to VS Code and provide the below command (or) Go to the path where you provisioned the Ec2 instance ``` terraform destroy --auto-approve ```

### Pipeline ``` pipeline{ agent any tools{ jdk 'jdk17' nodejs 'node16' } environment { SCANNER_HOME=tool 'sonar-scanner' } stages { stage('clean workspace'){ steps{ cleanWs() } } stage('Checkout from Git'){ steps{ git branch: 'main', url: 'https://github.com/Bhushan0151/Amazon-FE.git' } } stage("Sonarqube Analysis "){ steps{ withSonarQubeEnv('sonar-server') { sh ''' $SCANNER_HOME/bin/sonar-scanner -Dsonar.projectName=Amazon \ -Dsonar.projectKey=Amazon ''' } } } stage("quality gate"){ steps { script { waitForQualityGate abortPipeline: false, credentialsId: 'Sonar-token' } } } stage('Install Dependencies') { steps { sh "npm install" } } stage('OWASP FS SCAN') { steps { dependencyCheck additionalArguments: '--scan ./ --disableYarnAudit --disableNodeAudit', odcInstallation: 'DP-Check' dependencyCheckPublisher pattern: '**/dependency-check-report.xml' } } stage('TRIVY FS SCAN') { steps { sh "trivy fs . > trivyfs.txt" } } stage("Docker Build & Push"){ steps{ script{ withDockerRegistry(credentialsId: 'docker', toolName: 'docker'){ sh "docker build -t amazon ." sh "docker tag amazon bhushann11/amazon:latest " sh "docker push bhushann11/amazon:latest " } } } } stage("TRIVY"){ steps{ sh "trivy image bhushann11/amazon:latest > trivyimage.txt" } } stage('Deploy to container'){ steps{ sh 'docker run -d --name amazon -p 3000:3000 bhushann11/amazon:latest' } } } } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://bhushans-devops-organization.gitbook.io/advanced-projects/amazon-app-deployment-a-devsecops-approach-with-terraform-and-jenkins-ci-cd-or-docker-or.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.