├── .gitignore
├── README.md
├── alb-sg.tf
├── asgs.tf
├── bastion-sg.tf
├── bin
    ├── bastion.sh
    ├── nginx.sh
    ├── tooling.sh
    └── wordpress.sh
├── efs.tf
├── images
    ├── 3tierapplication.drawio.png
    └── iam policy.png
├── launch-templates.tf
├── nginx-sg.tf
├── provider.tf
├── rds.tf
├── vpc.tf
└── webservers-sg.tf


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Local .terraform directories
 2 | **/.terraform/*
 3 | 
 4 | # .tfstate files
 5 | *.tfstate
 6 | *.tfstate.*
 7 | 
 8 | # Crash log files
 9 | crash.log
10 | crash.*.log
11 | 
12 | # Exclude all .tfvars files, which are likely to contain sensitive data, such as
13 | # password, private keys, and other secrets. These should not be part of version 
14 | # control as they are data points which are potentially sensitive and subject 
15 | # to change depending on the environment.
16 | *.tfvars
17 | *.tfvars.json
18 | 
19 | # Ignore override files as they are usually used to override resources locally and so
20 | # are not checked in
21 | override.tf
22 | override.tf.json
23 | *_override.tf
24 | *_override.tf.json
25 | 
26 | # Include override files you do wish to add to version control using negated pattern
27 | # !example_override.tf
28 | 
29 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
30 | # example: *tfplan*
31 | 
32 | # Ignore CLI configuration files
33 | .terraformrc
34 | terraform.rc
35 | 
36 | .terraform.lock.hcl
37 | .vscode
38 | devops.pem
39 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # AWS_Terraform_3tier_app
 2 | Code to deploy a 3 tier web application in AWS using Terraform
 3 | 
 4 | ## Project Design Architecture Diagram
 5 | ![Architecture Diagram](./images/3tierapplication.drawio.png)  
 6 | 
 7 | ## Prerequisites For Implementing the project
 8 | - AWS Account
 9 | 
10 |     If you do not currently have an aws account you can open [here](https://aws.amazon.com/resources/create-account/)
11 | 
12 | - Terraform
13 | 
14 |     If you don't have terraform installed on your machine, you can follow this [documentation](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli) to setup terraform 
15 | 
16 | - AWS CLI
17 | 
18 |     You can follow this [AWS Documentation](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) to install or update to the latest version of AWS CLI
19 | 
20 | 
21 | ## SetUp
22 | Login to your [AWS account](https://aws.amazon.com) and navigate to the IAM Dashboard to create an IAM User. Assign administrator access permissions to the user and be sure to download and save your access keys.
23 | 
24 | ![IAM User Permissions](./images/iam%20policy.png)


--------------------------------------------------------------------------------
/alb-sg.tf:
--------------------------------------------------------------------------------
 1 | # external alb Security Group
 2 | resource "aws_security_group" "external-alb-sg" {
 3 |   name = "external-alb-sg"
 4 |   description = "Public internet access"
 5 |   vpc_id = aws_vpc.main.id
 6 |  
 7 |   tags = {
 8 |     Name        = "external-alb-sg"
 9 |   }
10 | }
11 |  
12 | 
13 | # security group rules
14 |  resource "aws_security_group_rule" "public_in_http" {
15 |   type              = "ingress"
16 |   from_port         = 80
17 |   to_port           = 80
18 |   protocol          = "tcp"
19 |   cidr_blocks       = ["0.0.0.0/0"]
20 |   security_group_id = aws_security_group.external-alb-sg.id
21 | }
22 | resource "aws_security_group_rule" "public_out_external_alb" {
23 |   type        = "egress"
24 |   from_port   = 0
25 |   to_port     = 0
26 |   protocol    = "-1"
27 |   cidr_blocks = ["0.0.0.0/0"]
28 |  
29 |   security_group_id = aws_security_group.external-alb-sg.id
30 | }
31 |  
32 | 
33 | 
34 |  
35 | 
36 | # Internal alb Security Group
37 | resource "aws_security_group" "internal-alb-sg" {
38 |   name = "internal-alb-sg"
39 |   description = "Internal ALB"
40 |   vpc_id = aws_vpc.main.id
41 |  
42 |   tags = {
43 |     Name        = "internal-alb-sg"
44 |   }
45 | }
46 |  
47 | 
48 | # security group rules
49 |  resource "aws_security_group_rule" "allow_nginx_port80" {
50 |   type              = "ingress"
51 |   from_port         = 80
52 |   to_port           = 80
53 |   protocol          = "tcp"
54 |   cidr_blocks       = ["0.0.0.0/0"]
55 |   security_group_id = aws_security_group.internal-alb-sg.id
56 | }
57 | 
58 |  resource "aws_security_group_rule" "allow_nginx_port443" {
59 |   type              = "ingress"
60 |   from_port         = 443
61 |   to_port           = 443
62 |   protocol          = "tcp"
63 |   cidr_blocks       = ["0.0.0.0/0"]
64 |   security_group_id = aws_security_group.internal-alb-sg.id
65 | }
66 | 
67 | resource "aws_security_group_rule" "public_out_internal_alb" {
68 |   type        = "egress"
69 |   from_port   = 0
70 |   to_port     = 0
71 |   protocol    = "-1"
72 |   cidr_blocks = ["0.0.0.0/0"]
73 |  
74 |   security_group_id = aws_security_group.internal-alb-sg.id
75 | }
76 |  
77 |  
78 | 
79 |  


--------------------------------------------------------------------------------
/asgs.tf:
--------------------------------------------------------------------------------
 1 | # Bastion ASG
 2 | resource "aws_autoscaling_group" "bastion-asg" {
 3 |   name                      = "bastion-asg"
 4 |   max_size                  = 1
 5 |   min_size                  = 1
 6 |   health_check_grace_period = 300
 7 |   health_check_type         = "ELB"
 8 |   desired_capacity          = 1
 9 | 
10 |   vpc_zone_identifier = [
11 |     aws_subnet.privateSubnet-1.id,
12 |     aws_subnet.publicSubnet-2.id
13 |   ]
14 | 
15 | 
16 |   launch_template {
17 |     id      = aws_launch_template.bastion-launch-template.id
18 |     version = "$Latest"
19 |   }
20 |   tag {
21 |     key                 = "Name"
22 |     value               = "bastion"
23 |     propagate_at_launch = true
24 |   }
25 | 
26 | }
27 | 
28 | 
29 | # Nginx ASG
30 | resource "aws_autoscaling_group" "nginx-asg" {
31 |   name                      = "nginx-asg"
32 |   max_size                  = 1
33 |   min_size                  = 1
34 |   health_check_grace_period = 300
35 |   health_check_type         = "ELB"
36 |   desired_capacity          = 1
37 | 
38 |   vpc_zone_identifier = [
39 |     aws_subnet.privateSubnet-1.id,
40 |     aws_subnet.privateSubnet-2.id
41 |   ]
42 | 
43 | 
44 |   launch_template {
45 |     id      = aws_launch_template.nginx-launch-template.id
46 |     version = "$Latest"
47 |   }
48 |   tag {
49 |     key                 = "Name"
50 |     value               = "nginx"
51 |     propagate_at_launch = true
52 |   }
53 | 
54 | }
55 | 
56 | 
57 | # Wordpress ASG
58 | resource "aws_autoscaling_group" "wordpress-asg" {
59 |   name                      = "wordpress-asg"
60 |   max_size                  = 1
61 |   min_size                  = 1
62 |   health_check_grace_period = 300
63 |   health_check_type         = "ELB"
64 |   desired_capacity          = 1
65 | 
66 |   vpc_zone_identifier = [
67 |     aws_subnet.privateSubnet-1.id,
68 |     aws_subnet.privateSubnet-2.id
69 |   ]
70 | 
71 | 
72 |   launch_template {
73 |     id      = aws_launch_template.wordpress-launch-template.id
74 |     version = "$Latest"
75 |   }
76 |   tag {
77 |     key                 = "Name"
78 |     value               = "wordpress"
79 |     propagate_at_launch = true
80 |   }
81 | 
82 | }


--------------------------------------------------------------------------------
/bastion-sg.tf:
--------------------------------------------------------------------------------
 1 | # Internal alb Security Group
 2 | resource "aws_security_group" "bastion-sg" {
 3 |   name = "bastion-sg"
 4 |   description = "Bastion SG"
 5 |   vpc_id = aws_vpc.main.id
 6 |  
 7 |   tags = {
 8 |     Name        = "bastion-sg"
 9 |   }
10 | }
11 |  
12 | 
13 | # security group rules
14 |  resource "aws_security_group_rule" "allow_ssh_access_from_ipaddress" {
15 |   type              = "ingress"
16 |   from_port         = 22
17 |   to_port           = 22
18 |   protocol          = "tcp"
19 |   cidr_blocks       = ["172.30.240.1/32"]
20 |   security_group_id = aws_security_group.bastion-sg.id
21 | }
22 | 
23 |  resource "aws_security_group_rule" "allow_ssh_access_from_ipaddress_engineers" {
24 |   type              = "ingress"
25 |   from_port         = 22
26 |   to_port           = 22
27 |   protocol          = "tcp"
28 |   cidr_blocks       = ["192.168.215.25/32"]
29 |   security_group_id = aws_security_group.bastion-sg.id
30 | }
31 | 
32 | resource "aws_security_group_rule" "public_out_bastion" {
33 |   type        = "egress"
34 |   from_port   = 0
35 |   to_port     = 0
36 |   protocol    = "-1"
37 |   cidr_blocks = ["0.0.0.0/0"]
38 |  
39 |   security_group_id = aws_security_group.bastion-sg.id
40 | }
41 |  
42 |  
43 | 
44 |  


--------------------------------------------------------------------------------
/bin/bastion.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | # bastion userdata
4 | 
5 | sudo yum update -y
6 | sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
7 | sudo yum install -y dnf-utils http://rpms.remirepo.net/enterprise/remi-release-8.rpm
8 | sudo yum install -y mysql
9 | 


--------------------------------------------------------------------------------
/bin/nginx.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | # nginx userdata
4 | 
5 | sudo yum update -y
6 | sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
7 | sudo yum install -y dnf-utils http://rpms.remirepo.net/enterprise/remi-release-8.rpm
8 | sudo yum install -y nginx git


--------------------------------------------------------------------------------
/bin/tooling.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # tooling userdata 
 4 | 
 5 | sudo yum update -y
 6 | sudo yum install -y mysql git wget
 7 | sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
 8 | sudo yum install -y dnf-utils http://rpms.remirepo.net/enterprise/remi-release-8.rpm
 9 | 
10 | # this section is to install EFS util for mounting to the file system
11 | 
12 | git clone https://github.com/aws/efs-utils
13 | 
14 | cd /efs-utils
15 | 
16 | sudo yum install -y make
17 | 
18 | sudo yum install -y rpm-build
19 | 
20 | make rpm 
21 | 
22 | sudo yum install -y  ./build/amazon-efs-utils*rpm
23 | 


--------------------------------------------------------------------------------
/bin/wordpress.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # wordpress userdata 
 4 | 
 5 | sudo yum update -y
 6 | sudo yum install -y mysql-client zip git wget
 7 | sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
 8 | sudo yum install -y dnf-utils http://rpms.remirepo.net/enterprise/remi-release-8.rpm
 9 | 
10 | # this section is to install EFS util for mounting to the file system
11 | 
12 | git clone https://github.com/aws/efs-utils
13 | 
14 | cd /efs-utils
15 | 
16 | sudo yum install -y make
17 | 
18 | sudo yum install -y rpm-build
19 | 
20 | make rpm 
21 | 
22 | sudo yum install -y  ./build/amazon-efs-utils*rpm
23 | 


--------------------------------------------------------------------------------
/efs.tf:
--------------------------------------------------------------------------------
 1 | # create key from key management system
 2 | resource "aws_kms_key" "efskey-kms" {
 3 |   description = "KMS key "
 4 |   policy      = <<EOF
 5 |   {
 6 |   "Version": "2012-10-17",
 7 |   "Id": "kms-key-policy",
 8 |   "Statement": [
 9 |     {
10 |       "Sid": "Enable IAM User Permissions",
11 |       "Effect": "Allow",
12 |       "Principal": { "AWS": "arn:aws:iam::696742900004:user/project16" },
13 |       "Action": "kms:*",
14 |       "Resource": "*"
15 |     }
16 |   ]
17 | }
18 | EOF
19 | }
20 | 
21 | # create key alias
22 | resource "aws_kms_alias" "alias" {
23 |   name          = "alias/kms"
24 |   target_key_id = aws_kms_key.efskey-kms.key_id
25 | }
26 | 
27 | # create Elastic file system
28 | resource "aws_efs_file_system" "project-efs" {
29 |   encrypted  = true
30 |   kms_key_id = aws_kms_key.efskey-kms.arn
31 | 
32 |   tags = {
33 |     Name            = "file-system"
34 |   }
35 | 
36 | }
37 | 
38 | 
39 | # first mount target for the EFS 
40 | resource "aws_efs_mount_target" "subnet-1" {
41 |   file_system_id  = aws_efs_file_system.project-efs.id
42 |   subnet_id       = aws_subnet.privateSubnet-1.id
43 |   security_groups = [aws_security_group.datalayer-sg.id]
44 | }
45 | 
46 | 
47 | # second mount target for the EFS 
48 | resource "aws_efs_mount_target" "subnet-2" {
49 |   file_system_id  = aws_efs_file_system.project-efs.id
50 |   subnet_id       = aws_subnet.privateSubnet-2.id
51 |   security_groups = [aws_security_group.datalayer-sg.id]
52 | }
53 | 
54 | 
55 | # Access point for wordpress
56 | resource "aws_efs_access_point" "wordpress" {
57 |   file_system_id = aws_efs_file_system.project-efs.id
58 | 
59 |   posix_user {
60 |     gid = 0
61 |     uid = 0
62 |   }
63 | 
64 |   root_directory {
65 |     path = "/wordpress"
66 | 
67 |     creation_info {
68 |       owner_gid   = 0
69 |       owner_uid   = 0
70 |       permissions = 0755
71 |     }
72 | 
73 |   }
74 | 
75 | }
76 | 
77 | 
78 | # Access point for tooling
79 | resource "aws_efs_access_point" "tooling" {
80 |   file_system_id = aws_efs_file_system.project-efs.id
81 |   posix_user {
82 |     gid = 0
83 |     uid = 0
84 |   }
85 | 
86 |   root_directory {
87 | 
88 |     path = "/tooling"
89 | 
90 |     creation_info {
91 |       owner_gid   = 0
92 |       owner_uid   = 0
93 |       permissions = 0755
94 |     }
95 | 
96 |   }
97 | }
98 | 


--------------------------------------------------------------------------------
/images/3tierapplication.drawio.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AyBims/AWS_Terraform_3tier_app/bc5260009e3f440e1b6a21e1cc45e631b16b1b38/images/3tierapplication.drawio.png


--------------------------------------------------------------------------------
/images/iam policy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AyBims/AWS_Terraform_3tier_app/bc5260009e3f440e1b6a21e1cc45e631b16b1b38/images/iam policy.png


--------------------------------------------------------------------------------
/launch-templates.tf:
--------------------------------------------------------------------------------
  1 | # launch template for bastion
  2 | 
  3 | resource "aws_launch_template" "bastion-launch-template" {
  4 |   name = "bastion"
  5 | 
  6 |   block_device_mappings {
  7 |     device_name = "/dev/sda1"
  8 | 
  9 |     ebs {
 10 |       volume_size = 20
 11 |     }
 12 |   }
 13 | 
 14 | 
 15 |   image_id = "ami-026ebd4cfe2c043b2"
 16 | 
 17 |   instance_initiated_shutdown_behavior = "terminate"
 18 | 
 19 |   instance_type = "t2.micro"
 20 | 
 21 |   key_name = "devops"
 22 | 
 23 | 
 24 |   monitoring {
 25 |     enabled = true
 26 |   }
 27 | 
 28 |   placement {
 29 |     availability_zone = "us-east-1a"
 30 |   }
 31 | 
 32 | 
 33 |   vpc_security_group_ids = [aws_security_group.bastion-sg.id]
 34 | 
 35 |   tag_specifications {
 36 |     resource_type = "instance"
 37 | 
 38 | 
 39 |     tags = {
 40 |       Name            = "bastion-launch-template"
 41 |     }
 42 |   }
 43 | 
 44 |   user_data = filebase64("${path.module}/bin/bastion.sh")
 45 | }
 46 | 
 47 | 
 48 | 
 49 | 
 50 | # Nginx Launch Template
 51 | 
 52 | resource "aws_launch_template" "nginx-launch-template" {
 53 |   name = "nginx"
 54 | 
 55 |   block_device_mappings {
 56 |     device_name = "/dev/sda1"
 57 | 
 58 |     ebs {
 59 |       volume_size = 20
 60 |     }
 61 |   }
 62 | 
 63 | 
 64 |   image_id = "ami-026ebd4cfe2c043b2"
 65 | 
 66 |   instance_initiated_shutdown_behavior = "terminate"
 67 | 
 68 |   instance_type = "t2.micro"
 69 | 
 70 |   key_name = "devops"
 71 | 
 72 | 
 73 |   monitoring {
 74 |     enabled = true
 75 |   }
 76 | 
 77 |   placement {
 78 |     availability_zone = "us-east-1a"
 79 |   }
 80 | 
 81 | 
 82 |   vpc_security_group_ids = [aws_security_group.nginx-sg.id]
 83 | 
 84 |   tag_specifications {
 85 |     resource_type = "instance"
 86 | 
 87 | 
 88 |     tags = {
 89 |       Name            = "nginx-launch-template"
 90 |     }
 91 |   }
 92 | 
 93 |   user_data = filebase64("${path.module}/bin/nginx.sh")
 94 | }
 95 | 
 96 | 
 97 | 
 98 | # Tooling Launch Template
 99 | resource "aws_launch_template" "tooling-launch-template" {
100 |   name = "tooling"
101 | 
102 |   block_device_mappings {
103 |     device_name = "/dev/sda1"
104 | 
105 |     ebs {
106 |       volume_size = 20
107 |     }
108 |   }
109 | 
110 | 
111 |   image_id = "ami-026ebd4cfe2c043b2"
112 | 
113 |   instance_initiated_shutdown_behavior = "terminate"
114 | 
115 |   instance_type = "t2.micro"
116 | 
117 |   key_name = "devops"
118 | 
119 | 
120 |   monitoring {
121 |     enabled = true
122 |   }
123 | 
124 |   placement {
125 |     availability_zone = "us-east-1a"
126 |   }
127 | 
128 | 
129 |   vpc_security_group_ids = [aws_security_group.tooling-sg.id]
130 | 
131 |   tag_specifications {
132 |     resource_type = "instance"
133 | 
134 | 
135 |     tags = {
136 |       Name            = "tooling-launch-template"
137 |     }
138 |   }
139 | 
140 |   user_data = filebase64("${path.module}/bin/tooling.sh")
141 | }
142 | 
143 | 
144 | # Wordpress Launch Template
145 | resource "aws_launch_template" "wordpress-launch-template" {
146 |   name = "wordpress"
147 | 
148 |   block_device_mappings {
149 |     device_name = "/dev/sda1"
150 | 
151 |     ebs {
152 |       volume_size = 20
153 |     }
154 |   }
155 | 
156 | 
157 |   image_id = "ami-026ebd4cfe2c043b2"
158 | 
159 |   instance_initiated_shutdown_behavior = "terminate"
160 | 
161 |   instance_type = "t2.micro"
162 | 
163 |   key_name = "devops"
164 | 
165 | 
166 |   monitoring {
167 |     enabled = true
168 |   }
169 | 
170 |   placement {
171 |     availability_zone = "us-east-1a"
172 |   }
173 | 
174 | 
175 |   vpc_security_group_ids = [aws_security_group.wordpress-sg.id]
176 | 
177 |   tag_specifications {
178 |     resource_type = "instance"
179 | 
180 | 
181 |     tags = {
182 |       Name            = "wordpress-launch-template"
183 |     }
184 |   }
185 | 
186 |   user_data = filebase64("${path.module}/bin/wordpress.sh")
187 | }


--------------------------------------------------------------------------------
/nginx-sg.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_security_group" "nginx-sg" {
 2 |   name        = "nginx-sg"
 3 |   vpc_id      = aws_vpc.main.id
 4 |   description = "Nginx SG"
 5 | 
 6 | 
 7 |   tags = {
 8 |     Name            = "nginx-sg"
 9 |   }
10 | 
11 | }
12 | 
13 | 
14 | resource "aws_security_group_rule" "allow_port80_from_ext_alb" {
15 |   type                     = "ingress"
16 |   from_port                = 80
17 |   to_port                  = 80
18 |   protocol                 = "tcp"
19 |   source_security_group_id = aws_security_group.external-alb-sg.id
20 |   security_group_id        = aws_security_group.nginx-sg.id
21 | }
22 | 
23 | 
24 | resource "aws_security_group_rule" "allow_port443_from_ext_alb" {
25 |   type                     = "ingress"
26 |   from_port                = 443
27 |   to_port                  = 443
28 |   protocol                 = "tcp"
29 |   source_security_group_id = aws_security_group.external-alb-sg.id
30 |   security_group_id        = aws_security_group.nginx-sg.id
31 | }
32 | 
33 | # Add this later 
34 | 
35 | resource "aws_security_group_rule" "inbound-bastion-ssh-to-nginx" {
36 |   type                     = "ingress"
37 |   from_port                = 22
38 |   to_port                  = 22
39 |   protocol                 = "tcp"
40 |   source_security_group_id = aws_security_group.bastion-sg.id
41 |   security_group_id        = aws_security_group.nginx-sg.id
42 | }
43 | 
44 | 
45 | resource "aws_security_group_rule" "allow_all_nginx_egress" {
46 |   type              = "egress"
47 |   from_port         = 0
48 |   to_port           = 0
49 |   protocol          = "-1"
50 |   cidr_blocks       = ["0.0.0.0/0"]
51 |   security_group_id = aws_security_group.nginx-sg.id
52 | }
53 | 
54 | 


--------------------------------------------------------------------------------
/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 |   region = "us-east-1"
3 | }


--------------------------------------------------------------------------------
/rds.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_db_subnet_group" "rds-subnet-group" {
 2 |   name = "rds-subnet-group"
 3 |   subnet_ids = [aws_subnet.privateSubnet-3.id,
 4 |   aws_subnet.privateSubnet-4.id]
 5 | 
 6 |   tags = {
 7 |     Name            = "rds-subnet-group"
 8 |   }
 9 | 
10 | }
11 | 
12 | # create the RDS instance with the subnets group
13 | resource "aws_db_instance" "project-RDS" {
14 |   allocated_storage      = 20
15 |   storage_type           = "gp2"
16 |   engine                 = "mysql"
17 |   engine_version         = "5.7"
18 |   instance_class         = "db.t2.micro"
19 |   name                   = "projectDB"
20 |   username               = "project16"
21 |   password               = "pblproject16"
22 |   parameter_group_name   = "default.mysql5.7"
23 |   db_subnet_group_name   = aws_db_subnet_group.rds-subnet-group.name
24 |   skip_final_snapshot    = true
25 |   vpc_security_group_ids = [aws_security_group.datalayer-sg.id]
26 |   multi_az               = "true"
27 | }
28 | 


--------------------------------------------------------------------------------
/vpc.tf:
--------------------------------------------------------------------------------
  1 | # vpc
  2 | resource "aws_vpc" "main" {
  3 |   cidr_block       = "10.1.0.0/16"
  4 |   instance_tenancy = "default"
  5 | 
  6 |   tags = {
  7 |     Name = "main"
  8 |   }
  9 | }
 10 | 
 11 | # public subnets
 12 | resource "aws_subnet" "publicSubnet-1" {
 13 |   vpc_id     = aws_vpc.main.id
 14 |   cidr_block = "10.1.1.0/24"
 15 |   map_public_ip_on_launch = true
 16 |   availability_zone       = "us-east-1a"
 17 | 
 18 |   tags = {
 19 |     Name = "publicSubnet-1"
 20 |   }
 21 | }
 22 | 
 23 | resource "aws_subnet" "publicSubnet-2" {
 24 |   vpc_id     = aws_vpc.main.id
 25 |   cidr_block = "10.1.2.0/24"
 26 |   map_public_ip_on_launch = true
 27 |   availability_zone       = "us-east-1b"
 28 | 
 29 |   tags = {
 30 |     Name = "publicSubnet-1"
 31 |   }
 32 | }
 33 | 
 34 | # private subnets
 35 | resource "aws_subnet" "privateSubnet-1" {
 36 |   vpc_id     = aws_vpc.main.id
 37 |   cidr_block = "10.1.3.0/24"
 38 |   map_public_ip_on_launch = false
 39 |   availability_zone       = "us-east-1a"
 40 | 
 41 |   tags = {
 42 |     Name = "privateSubnet-1"
 43 |   }
 44 | }
 45 | 
 46 | resource "aws_subnet" "privateSubnet-2" {
 47 |   vpc_id     = aws_vpc.main.id
 48 |   cidr_block = "10.1.4.0/24"
 49 |   map_public_ip_on_launch = false
 50 |   availability_zone       = "us-east-1b"
 51 | 
 52 |   tags = {
 53 |     Name = "privateSubnet-2"
 54 |   }
 55 | }
 56 | 
 57 | resource "aws_subnet" "privateSubnet-3" {
 58 |   vpc_id     = aws_vpc.main.id
 59 |   cidr_block = "10.1.5.0/24"
 60 |   map_public_ip_on_launch = false
 61 |   availability_zone       = "us-east-1a"
 62 | 
 63 |   tags = {
 64 |     Name = "privateSubnet-3"
 65 |   }
 66 | }
 67 | 
 68 | resource "aws_subnet" "privateSubnet-4" {
 69 |   vpc_id     = aws_vpc.main.id
 70 |   cidr_block = "10.1.6.0/24"
 71 |   map_public_ip_on_launch = false
 72 |   availability_zone       = "us-east-1b"
 73 | 
 74 |   tags = {
 75 |     Name = "privateSubnet-4"
 76 |   }
 77 | }
 78 | 
 79 | # Internet gateway
 80 | resource "aws_internet_gateway" "ig" {
 81 |   vpc_id = aws_vpc.main.id
 82 | 
 83 |   tags = {
 84 |     Name = "Internet-gateway"
 85 |   }
 86 | }
 87 | 
 88 | # NAT Gateway and elastic IP address
 89 | resource "aws_eip" "nat_eip" {
 90 |   domain           = "vpc"
 91 |   depends_on = [aws_internet_gateway.ig]
 92 | 
 93 | 
 94 |   tags = {
 95 |     Name            = "nat-eip"
 96 |   }
 97 | }
 98 | 
 99 | 
100 | resource "aws_nat_gateway" "nat" {
101 |   allocation_id = aws_eip.nat_eip.id
102 |   subnet_id     = aws_subnet.publicSubnet-1.id
103 |   depends_on    = [aws_internet_gateway.ig]
104 | 
105 | 
106 |   tags = {
107 |     Name            = "main-nat"
108 |   }
109 | }
110 | 
111 | 
112 | 
113 | # route table for public subnets
114 | resource "aws_route_table" "public-rt" {
115 |   vpc_id = aws_vpc.main.id
116 | 
117 |   tags = {
118 |     Name            = "Public-Route-Table"
119 |   }
120 | }
121 | 
122 | # route table association for public subnets
123 | resource "aws_route" "public-rt-route" {
124 |   route_table_id         = aws_route_table.public-rt.id
125 |   destination_cidr_block = "0.0.0.0/0"
126 |   gateway_id             = aws_internet_gateway.ig.id
127 | }
128 | 
129 | 
130 | resource "aws_route_table_association" "public-subnets-assoc-1" {
131 |   subnet_id      = aws_subnet.publicSubnet-1.id
132 |   route_table_id = aws_route_table.public-rt.id
133 | }
134 | 
135 | resource "aws_route_table_association" "public-subnets-assoc-2" {
136 |   subnet_id      = aws_subnet.publicSubnet-2.id
137 |   route_table_id = aws_route_table.public-rt.id
138 | }
139 | 
140 | 
141 | 
142 | # private route table
143 | resource "aws_route_table" "private-rt" {
144 |   vpc_id = aws_vpc.main.id
145 | 
146 |   tags = {
147 |     Name            = "Private-Route-Table"
148 |   }
149 | }
150 | 
151 | # route table association for private subnet
152 | resource "aws_route" "private-rt-route" {
153 |   route_table_id         = aws_route_table.private-rt.id
154 |   destination_cidr_block = "0.0.0.0/0"
155 |   nat_gateway_id         = aws_nat_gateway.nat.id
156 | }
157 | 
158 | 
159 | resource "aws_route_table_association" "private-subnets-assoc-1" {
160 |   subnet_id      = aws_subnet.privateSubnet-1.id
161 |   route_table_id = aws_route_table.private-rt.id
162 | }
163 | 
164 | 
165 | resource "aws_route_table_association" "private-subnets-assoc-2" {
166 |   subnet_id      = aws_subnet.privateSubnet-2.id
167 |   route_table_id = aws_route_table.private-rt.id
168 | }
169 | 
170 | resource "aws_route_table_association" "private-subnets-assoc-3" {
171 |   subnet_id      = aws_subnet.privateSubnet-3.id
172 |   route_table_id = aws_route_table.private-rt.id
173 | }
174 | 
175 | resource "aws_route_table_association" "private-subnets-assoc-4" {
176 |   subnet_id      = aws_subnet.privateSubnet-4.id
177 |   route_table_id = aws_route_table.private-rt.id
178 | }


--------------------------------------------------------------------------------
/webservers-sg.tf:
--------------------------------------------------------------------------------
  1 | # Tooling
  2 | resource "aws_security_group" "tooling-sg" {
  3 |   name        = "tooling-sg"
  4 |   vpc_id      = aws_vpc.main.id
  5 |   description = "tooling SG"
  6 | 
  7 |   tags = {
  8 |     Name            = "tooling-sg"
  9 |   }
 10 | }
 11 | 
 12 | 
 13 | resource "aws_security_group_rule" "allow_HTTP_from_internal_alb_to_tooling" {
 14 |   type                     = "ingress"
 15 |   from_port                = 80
 16 |   to_port                  = 80
 17 |   protocol                 = "tcp"
 18 |   source_security_group_id = aws_security_group.internal-alb-sg.id
 19 |   security_group_id        = aws_security_group.tooling-sg.id
 20 | }
 21 | 
 22 | resource "aws_security_group_rule" "inbound-bastion-ssh-to-tooling" {
 23 |   type                     = "ingress"
 24 |   from_port                = 22
 25 |   to_port                  = 22
 26 |   protocol                 = "tcp"
 27 |   source_security_group_id = aws_security_group.bastion-sg.id
 28 |   security_group_id        = aws_security_group.tooling-sg.id
 29 | }
 30 | 
 31 | resource "aws_security_group_rule" "allow_all_tooling_egress" {
 32 |   type              = "egress"
 33 |   from_port         = 0
 34 |   to_port           = 0
 35 |   protocol          = "-1"
 36 |   cidr_blocks       = ["0.0.0.0/0"]
 37 |   security_group_id = aws_security_group.tooling-sg.id
 38 | }
 39 | 
 40 | 
 41 | # Wordpress
 42 | resource "aws_security_group" "wordpress-sg" {
 43 |   name        = "wordpress-sg"
 44 |   vpc_id      = aws_vpc.main.id
 45 |   description = "wordpress SG"
 46 | 
 47 | 
 48 |   tags = {
 49 |     Name            = "wordpress-sg"
 50 |   }
 51 | 
 52 | }
 53 | 
 54 | resource "aws_security_group_rule" "allow_HTTP_from_internal_alb_to_wordpress" {
 55 |   type                     = "ingress"
 56 |   from_port                = 80
 57 |   to_port                  = 80
 58 |   protocol                 = "tcp"
 59 |   source_security_group_id = aws_security_group.internal-alb-sg.id
 60 |   security_group_id        = aws_security_group.wordpress-sg.id
 61 | }
 62 | 
 63 | resource "aws_security_group_rule" "allow_all_wordpress_egress" {
 64 |   type              = "egress"
 65 |   from_port         = 0
 66 |   to_port           = 0
 67 |   protocol          = "-1"
 68 |   cidr_blocks       = ["0.0.0.0/0"]
 69 |   security_group_id = aws_security_group.wordpress-sg.id
 70 | }
 71 | 
 72 | 
 73 | # Datalayer
 74 | resource "aws_security_group" "datalayer-sg" {
 75 |   name        = "datalayer-sg"
 76 |   vpc_id      = aws_vpc.main.id
 77 |   description = "Datalayer SG"
 78 | 
 79 | 
 80 |   tags = {
 81 |     Name            = "datalayer-sg"
 82 |   }
 83 | }
 84 | 
 85 | resource "aws_security_group_rule" "allow_from_tooling_web_to_mysql" {
 86 |   type                     = "ingress"
 87 |   from_port                = 3306
 88 |   to_port                  = 3306
 89 |   protocol                 = "tcp"
 90 |   source_security_group_id = aws_security_group.wordpress-sg.id
 91 |   security_group_id        = aws_security_group.datalayer-sg.id
 92 | }
 93 | 
 94 | 
 95 | resource "aws_security_group_rule" "allow_from_wordpress_web_to_mysql" {
 96 |   type                     = "ingress"
 97 |   from_port                = 3306
 98 |   to_port                  = 3306
 99 |   protocol                 = "tcp"
100 |   source_security_group_id = aws_security_group.tooling-sg.id
101 |   security_group_id        = aws_security_group.datalayer-sg.id
102 | }
103 | 
104 | 
105 | 
106 | resource "aws_security_group_rule" "allow_from_tooling_web_to_efs" {
107 |   type                     = "ingress"
108 |   from_port                = 2049
109 |   to_port                  = 2049
110 |   protocol                 = "tcp"
111 |   source_security_group_id = aws_security_group.wordpress-sg.id
112 |   security_group_id        = aws_security_group.datalayer-sg.id
113 | }
114 | 
115 | 
116 | resource "aws_security_group_rule" "allow_from_wordpress_web_to_efs" {
117 |   type                     = "ingress"
118 |   from_port                = 2049
119 |   to_port                  = 2049
120 |   protocol                 = "tcp"
121 |   source_security_group_id = aws_security_group.tooling-sg.id
122 |   security_group_id        = aws_security_group.datalayer-sg.id
123 | }
124 | 


--------------------------------------------------------------------------------