IaC 2: Create a DynamoDB Table Using AWS CloudFormation

What is Amazon DynamoDB?

DynamoDB is an excellent choice for applications that require a scalable, high-performance NoSQL database service. This fully managed database solution brought to us by AWS allows you to replicate data across multiple regions and availability zones for low latency and high availability. DynamoDB is utilized for a wide range of applications, including mobile apps and web applications, gaming and IoT devices.

Use-Case

Let’s say we have a media production and distribution company that creates and distributes movies, TV shows, and other entertainment content to consumers worldwide. As part of their business operations, they need to manage and track information about their media content, including metadata, ratings, and other relevant details. To address this need, the company decides to use Amazon DynamoDB to store and manage their media content data.

So here’s what we will accomplish:

Using AWS CloudFormation, we will:
Create a DynamoDB table for recent Movie releases.
Create 2 t.2micro EC2 instances.
Use an IAM role, with the principle of least privilege, to grant 1 EC2 instance read access only to DynamoDB.
And use another IAM role to grant the other EC2 instance write access only to DynamoDB.

Using the AWS CLI, we will:
SSH into the instance with write access.
Add 10 different movie releases to the table, including their title, genre, release date, and rating.
Verify we cannot scan the DynamoDB table using this instance.
Then SSH into the instance with read access only.
Scan the DynamoDB table.
Verify we cannot write data to the DynamoDB table using this instance.

Let’s get started.

We can utilize Notepad or VIM text editor to create a file of the code template.
Below is a CloudFormation template in YAML format that we will use to create our DynamoDB table.

Now let’s upload the template to CloudFormation.
Go to AWS CloudFormation and click Create stack.

On Step 1 page select Template is ready and Upload a template file.
Once you’ve selected the file, click Next.

On Step 2 page enter a Stack name and click Next.

On Step 3 page keep all default stack options and click Next.
On Step 4 page scroll down click the box next to I acknowledge that AWS CloudFormation might create IAM resources and click Submit.
On the next page, we will see the stack creation in progress. Wait a few minutes for completion.

If we go to Identity and Access Management (IAM) and select Roles, we can see the 2 IAM roles that were created from our stack.

Go to Instances in the EC2 Dashboard.
Here we can see the 2 instances that were created.

When we view the Instance summaries, we can see the specific IAM role that is assigned to each instance.

And when we go to DynamoDB, we can see the table created from our stack along with the Global secondary indexes (GSI).
GSI’s are used to perform queries based on attributes other than the primary key. In this case, the primary key is ‘Title’, and the other attributes are ‘Genre’, ‘ReleaseDate’, and ‘Rating’.

Now let’s head on over to our computer’s terminal.
Run ssh -i "ChineloDynamo.pem" ec2-54-175-229-248.compute-1.amazonaws.com to SSH into the instance with write access only.

Now let’s add 10 different movie releases to the DynamoDB table, including their title, genre, release date, and rating using a bash script.
Runvim chinelomovies.ps1
Since I’m using Windows PowerShell, I created the script with a .ps1 extension.
I attempted to create the script with .sh as the extension, but my system did not recognize it and did not execute the script as expected.

Inside the text editor, enter the following script below.
To save and exit out of Vim, press Esc key, type :wq and press enter.

Run chmod +x chinelomovies.ps1 to make the script executable.

Now run ./chinelomovies.ps1 to execute the script.

Let’s go to DynamoDB in the Console to verify the script was executed successfully.
Under Tables click Explore items then select the table we created.
Here we can see the 10 movies that we added to the table.

If we try to run aws dynamodb scan --table-name ChineloMovieReleases to scan the table with the instance that has write access only, we will get the “An error occurred…” output displayed below, indicating that the IAM role set earlier is in effect.

Now let’s disconnect and SSH into the instance with read access only.

When we run the aws dynamo put-item command to write data to the table, we get the “An error occurred…” output displayed below.
This indicates the IAM role permissions for this instance are in effect.

Now let’s run aws dynamodb scan --table-name ChineloMovieReleases
Below is an example of some of the output.
Keep pressing enter key to view more data from the table.
Press ctrl+c to end the scan.

And that’s it for today.
Let’s go back to CloudFormation in the Console and delete the stack so that we’re not charged for these resources any further.
Since the DeletionPolicy was set to Delete for all resources, once we delete the stack, we do not have to delete each resource individually.
We have the option to set the DeletionPolicy to Retain for any resources that we want to keep.

Thank you for reading. See you again next time!