The latest articles on Forem by Viktor Vasylkovskyi (@vvasylkovskyi). https://forem.com/vvasylkovskyi https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2437649%2F528a6805-4df8-4fa5-8eb6-d4110d4defff.jpg https://forem.com/vvasylkovskyi en Viktor Vasylkovskyi Wed, 06 May 2026 15:58:03 +0000 https://forem.com/vvasylkovskyi/infrastructure-as-code-toolbox-final-thoughts-and-future-work-3d0 https://forem.com/vvasylkovskyi/infrastructure-as-code-toolbox-final-thoughts-and-future-work-3d0 <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/load-test-4agk">Load Testing Infrastructure</a></p> <p>We have reached the end of this infrastructure journey. By now, you should have a solid understanding of how to provision and manage cloud infrastructure using Terraform. You've built a complete three-tier web application architecture on AWS, covering everything from networking and compute to security and data storage.</p> <p>As promised, we have delivered the following outputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>domain_for_your_apps <span class="o">=</span> http://www.your-domain.com database_endpoint <span class="o">=</span> <span class="s2">"postgres-db.cspuccciib8v.us-east-1.rds.amazonaws.com:5432"</span> ec2_first_instance_ip_address <span class="o">=</span> <span class="s2">"3.222.64.160"</span> ec2_second_instance_ip_address <span class="o">=</span> <span class="s2">"3.223.185.158"</span> </code></pre> </div> <p>Note, all of them are public, although your are in charge of protecting them. Use them at your own risk!</p> <h2> Next Steps </h2> <p>I hope you enjoyed this hands-on journey through building infrastructure with Terraform on AWS. The goal was to provide you with a solid foundation that you can build upon.</p> <p>As you have seen from the load test, the infrastructure is far from production ready. It doesn't handle the load well, and lacks proper security in place. The missing production checklists are numerous, below I will list a few ideas for next steps you can take to enhance this infrastructure.</p> <h3> Security Enhancements </h3> <p>There are several security issues with the current setup. Doesn't mean it is insecure by default, but when you pursue production readiness and certification like Service Organization Control 2 (SOC2), you need to address them. Here are some suggestions:</p> <h4> Restrict Network Access </h4> <p>This one is about the public accessibility of our resources. We don't need to expose everything to the internet:</p> <ul> <li>Our RDS database is publicly accessible. In production it probably best to put it in private subnet, and allow access by ec2 instances only.</li> <li>The Ec2 instances are in public subnet. Since we are using a load balancer, we can put them in private subnet, and allow access only from the load balancer.</li> <li>We have exposed the SSH port (22) to the world and reuse same keys for both EC2 instances. In production, you should restrict access to known IPs and use different keys for each instance. Or use AWS Systems Manager (SSM) to access instances without SSH.</li> </ul> <h4> Encryption </h4> <p>Everything should be encrypted, both at rest and in transit:</p> <ul> <li>The RDS database does not have encryption at rest enabled. In production, you should enable it.</li> <li>Use encryption in transit - enforce HTTPS (We got this one right - using API Gateway and Load Balancer with HTTPS)</li> </ul> <h4> Access Control (IAM) </h4> <p>The current setup access sensitive resources too permissively:</p> <ul> <li>Lock the root account and use IAM roles with least privilege. Currently we are using root account credentials in the Terraform provider which is not a best practice.</li> <li>Use secrets management - no hardcoded secrets (We got this one right partially - using AWS Secrets Manager, but the secrets are injected via user data script which is not ideal, and is in plain text on the instance)</li> </ul> <h3> Disaster Recovery and Incident Response </h3> <p>The above security enhancement will provide you good preventive controls, but you also need to prepare for the worst-case scenarios:</p> <h4> Application Level Backups and Monitoring </h4> <ul> <li>Do periodic backups of your RDS database, and test the restore process.</li> <li>Enable Application Logging, Monitoring and Alerting using services like <a href="https://aws.amazon.com/cloudwatch/" rel="noopener noreferrer">CloudWatch</a> or <a href="https://grafana.com/" rel="noopener noreferrer">Grafana</a>.</li> <li>Set up an Incident Response Plan using tools like <a href="https://www.pagerduty.com/" rel="noopener noreferrer">PagerDuty</a>.</li> </ul> <h4> Cloud-Level Disaster Recovery </h4> <ul> <li>Use Infrastructure as Code (IaC) to quickly recreate your infrastructure in another region if needed (which we have done using Terraform).</li> <li>Setup logging and monitoring for your infrastructure using <a href="https://aws.amazon.com/cloudtrail/" rel="noopener noreferrer">AWS CloudTrail</a>.</li> <li>Enable logging for database, load balancer, and other services.</li> </ul> <h3> Performance and Scalability Improvements </h3> <p>Finally, to go from startup with a few users to enterprise with millions of users, you need to ensure your infrastructure can scale and perform well under load:</p> <ul> <li>Implementing auto-scaling for EC2 instances with <a href="https://aws.amazon.com/ecs/" rel="noopener noreferrer">ECS</a> </li> <li>Adding <a href="https://kubernetes.io/" rel="noopener noreferrer">Kubernetes</a> for the orchestration of containers and quick scaling from 2 instances to more</li> <li>Adding caching layers using services like <a href="https://redis.io/" rel="noopener noreferrer">Redis</a> cache,</li> <li>Using a Content Delivery Network (CDN) like <a href="https://aws.amazon.com/cloudfront/" rel="noopener noreferrer">CloudFront</a> to serve static assets faster</li> <li>Database optimization and read replicas for RDS</li> <li>Using multiple availability zones (AZs) for high availability</li> </ul> <h2> Conclusion </h2> <p>I encourage you to continue exploring and experimenting with Terraform and AWS. The possibilities are endless, and the skills you've gained here will serve you well in your infrastructure journey. Myself, I will continue expanding this guide with more advanced topics and real-world scenarios. Stay tuned for more!</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/load-test-4agk">Load Testing Infrastructure</a></p> aws devops infrastructure terraform Viktor Vasylkovskyi Wed, 06 May 2026 15:57:29 +0000 https://forem.com/vvasylkovskyi/load-test-4agk https://forem.com/vvasylkovskyi/load-test-4agk <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-postgressql-rdbms-on-aws-with-terraform-apc">Provisioning PostgreSQL RDS</a></p> <p>It would not be a complete infrastructure setup without some load testing. We have built this beautiful infrastructure that does pretty much nothing. But how much user load can it handle? Let's find out!</p> <h3> Using k6 for Load Testing </h3> <p>We are going to use <a href="https://k6.io/" rel="noopener noreferrer">k6</a> - a modern load testing tool that makes it easy to script and run load tests. First, install k6 by following the instructions on their <a href="https://grafana.com/docs/k6/latest/set-up/install-k6/" rel="noopener noreferrer">installation page</a>.</p> <h3> Writing a Load Test Script </h3> <p>We are going to create a simple load test script that hits our web application's domain. Create a file named <code>load-test.js</code> with the following content:</p> <p>We are going to simulate 10000 virtual users (VUs) over a period of 20 seconds, sending requests to our web application's domain.</p> <p>The following is the script content that you should put in <code>load-test.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">http</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">k6/http</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">sleep</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">k6</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{</span> <span class="na">vus</span><span class="p">:</span> <span class="mi">10000</span><span class="p">,</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">20s</span><span class="dl">'</span><span class="p">,</span> <span class="p">};</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="nx">http</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">http://www.your-domain.com</span><span class="dl">'</span><span class="p">);</span> <span class="nf">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Running the Load Test </h3> <p>You can run the load test using the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>k6 run load-test.js </code></pre> </div> <p>The test will start, after it finishes, the <code>json</code> file will be created and you will see real-time statistics about the requests being made, response times, and any errors encountered.</p> <h3> Analyzing the Results </h3> <p>The JSON output file can be analyzed using various tools. One popular option is to use <a href="https://grafana.com/" rel="noopener noreferrer">Grafana</a> along with <a href="https://k6.io/docs/cloud/" rel="noopener noreferrer">k6 Cloud</a>. You can also use the built-in summary report that k6 provides at the end of the test run.</p> <p>I have made a simple web app to render the results, and here is a sample screenshot of how the results might look:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fudzvzddhzgep8pa1byl3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fudzvzddhzgep8pa1byl3.png" alt=" " width="800" height="295"></a></p> <p>You can see that our infrastructure did not handle the 10000 users very well! Outch!</p> <p>This is expected since we did not setup auto-scaling, or caching, and only had two EC2 instances running. In a production scenario, you would want to implement these features to handle high traffic loads effectively.</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-postgressql-rdbms-on-aws-with-terraform-apc">Provisioning PostgreSQL RDS</a> | <strong>Next:</strong> <a href="https://dev.to/vvasylkovskyi/infrastructure-as-code-toolbox-final-thoughts-and-future-work-3d0">Final Thoughts and Future Work</a></p> devops performance testing tutorial Viktor Vasylkovskyi Wed, 06 May 2026 15:56:44 +0000 https://forem.com/vvasylkovskyi/provisioning-postgressql-rdbms-on-aws-with-terraform-apc https://forem.com/vvasylkovskyi/provisioning-postgressql-rdbms-on-aws-with-terraform-apc <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provision-aws-secret-manager-retrieval-of-secrets-4g6b">AWS Secrets Manager</a></p> <p>In this guide, we will learn how to provision a managed PostgresSQL database using Amazon RDS (Relational Database Service) with Terraform. RDS makes it easy to set up, operate, and scale a relational database in the cloud.</p> <p>Why would you want a database? Most web applications need to store and retrieve structured data. A relational database like PostgresSQL provides a reliable way to manage this data with support for complex queries, transactions, and relationships. So let's get started!</p> <h2> Overview </h2> <p>We are going to create infra same as before but with the RDS database integrated. Let's begin by looking at the architecture diagram:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmhyra4n1on17u2szgtt6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmhyra4n1on17u2szgtt6.png" alt=" " width="800" height="280"></a></p> <h2> Github Repository </h2> <p>This guide full code is available in <a href="https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v8-rds-database" rel="noopener noreferrer">https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v8-rds-database</a>. Feel free to clone it and follow along!</p> <h2> Adding RDS Module </h2> <p>First, let's create a new Terraform module for RDS. Create a new folder called <code>modules/rds</code> and add the following files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/rds/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"postgres"</span> <span class="p">{</span> <span class="nx">identifier</span> <span class="p">=</span> <span class="s2">"postgres-db"</span> <span class="nx">engine</span> <span class="p">=</span> <span class="s2">"postgres"</span> <span class="nx">engine_version</span> <span class="p">=</span> <span class="s2">"15"</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="s2">"db.t3.micro"</span> <span class="nx">allocated_storage</span> <span class="p">=</span> <span class="mi">20</span> <span class="nx">storage_type</span> <span class="p">=</span> <span class="s2">"gp2"</span> <span class="nx">skip_final_snapshot</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># for dev; not recommended in production</span> <span class="nx">publicly_accessible</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">username</span> <span class="p">=</span> <span class="c1"># To be filled soon</span> <span class="nx">password</span> <span class="p">=</span> <span class="c1"># To be filled soon</span> <span class="nx">db_name</span> <span class="p">=</span> <span class="c1"># To be filled soon</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[]</span> <span class="c1"># To be filled soon</span> <span class="nx">db_subnet_group_name</span> <span class="p">=</span> <span class="c1"># To be filled soon</span> <span class="p">}</span> </code></pre> </div> <p>Above resource creates a PostgresSQL database instance with the specified parameters. We are using <code>db.t3.micro</code> instance class which is quite small and suitable for development and testing purposes. The <code>allocated_storage</code> means 20GB allocated for this database, and we are using PostgresSQL database here. The <code>skip_final_snapshot</code> is a parameter used in AWS RDS (Relational Database Service) operations, such as when deleting a database instance with Terraform or the AWS CLI. If <code>skip_final_snapshot = true</code>, AWS will not create a final backup (snapshot) of your RDS instance before deleting it. We will keep it as is for our testing purpose, but it is recommended to set it to false for production use.</p> <p>Usually, a database should be placed in private subnets for security reasons. You can create new private subnet in the <code>modules/network</code> and get it here using <code>var.private_subnet_ids</code>. However, for simplicity, we will use public subnets here. One of the side-effects of having database in a public subnet is that it will have a public endpoint, which is not recommended for production use (but fine for testing).</p> <p>Besides being inserted in a subnet, the database also needs to be part of a security group that allows access to it, It also needs database name, username and password to be created. We will provide these as variables.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/rds/variables.tf</span> <span class="k">variable</span> <span class="s2">"database_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"database_username"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"database_password"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"subnet_ids"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>And finally, we can add an output to get the database endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/rds/outputs.tf</span> <span class="k">output</span> <span class="s2">"database_endpoint"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_db_instance</span><span class="p">.</span><span class="nx">postgres</span><span class="p">.</span><span class="nx">endpoint</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The connection endpoint for the Postgres database."</span> <span class="p">}</span> </code></pre> </div> <h2> Defining Security Groups for RDS </h2> <p>We will create a simple resource that allows inbound access to PostgresSQL port 5432.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/rds/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"rds_sg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"rds_sg"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow Postgres access"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>And now, we can use this security group in our database instance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/rds/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"postgres"</span> <span class="p">{</span> <span class="p">...</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">rds_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h2> Creating the RDS Subnet Group </h2> <p>AWS RDS requires a subnet group with at least 2 subnets in different Availability Zones for high availability and failover capabilities. For example, your database subnet group can include two private subnets from different AZs.</p> <p>We already have subnets created in <code>modules/network</code>, so we can create a subnet group in the RDS module like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_db_subnet_group"</span> <span class="s2">"default"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"rds-subnet-group"</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">id</span> <span class="nx">in</span> <span class="kd">var</span><span class="p">.</span><span class="nx">subnet_ids</span> <span class="err">:</span> <span class="nx">id</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"RDS Subnet Group"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now, add this subnet group to the database instance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/rds/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"postgres"</span> <span class="p">{</span> <span class="p">...</span> <span class="nx">db_subnet_group_name</span> <span class="p">=</span> <span class="nx">aws_db_subnet_group</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> </code></pre> </div> <h2> Using the RDS Module </h2> <p>Finally, we can use the RDS module in our main Terraform configuration. Open <code>main.tf</code> and add the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">module</span> <span class="s2">"rds"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/rds"</span> <span class="nx">database_name</span> <span class="p">=</span> <span class="s2">"my_app_db"</span> <span class="nx">database_username</span> <span class="p">=</span> <span class="s2">"your_username"</span> <span class="nx">database_password</span> <span class="p">=</span> <span class="s2">"your_secure_password"</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">public_subnet_ids</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="p">}</span> </code></pre> </div> <p>Make sure to replace <code>your_secure_password</code> with a strong password. Preferably, use Terraform variables or AWS Secrets Manager to manage sensitive information like passwords. You can read more about securing secrets in <a href="https://dev.to/vvasylkovskyi/provision-aws-secret-manager-retrieval-of-secrets-4g6b">Provisioning AWS Secret Manager and Securing Secrets</a>.</p> <h2> Outputs </h2> <p>In <code>outputs.tf</code>, add the following to get the database endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">output</span> <span class="s2">"database_endpoint"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">rds</span><span class="p">.</span><span class="nx">database_endpoint</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The connection endpoint for the Postgres database."</span> <span class="p">}</span> </code></pre> </div> <h2> Testing the Setup </h2> <p>Let's provisiong the infrastructure by running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init terraform apply <span class="nt">--auto-approve</span> </code></pre> </div> <p>This will create the RDS database along with the rest of the infrastructure. After the apply is complete, you should see the database endpoint in the outputs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Outputs: database_endpoint <span class="o">=</span> <span class="s2">"postgres-db.cspuccciib8v.us-east-1.rds.amazonaws.com:5432"</span> </code></pre> </div> <p>You can use this endpoint to connect to your PostgresSQL database using any Postgres client. Let's test the connection using <code>psql</code> command-line tool:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Note, you need to install psql client first if you don't have it already</span> psql <span class="se">\</span> <span class="nt">--host</span><span class="o">=</span>postgres-db.cspuccciib8v.us-east-1.rds.amazonaws.com <span class="se">\</span> <span class="nt">--port</span><span class="o">=</span>5432 <span class="se">\</span> <span class="nt">--username</span><span class="o">=</span>your_username <span class="se">\</span> <span class="nt">--dbname</span><span class="o">=</span>my_app_db <span class="c"># Received prompt like this:</span> <span class="o">&gt;</span> Password <span class="k">for </span>user your_username: <span class="c"># Enter the password you specified earlier</span> <span class="c"># You should see the psql prompt if the connection is successful:</span> psql <span class="o">(</span>17.5, server 15.14<span class="o">)</span> SSL connection <span class="o">(</span>protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, compression: off, ALPN: none<span class="o">)</span> Type <span class="s2">"help"</span> <span class="k">for </span>help. <span class="nv">my_app_db</span><span class="o">=&gt;</span> </code></pre> </div> <p>And you are connected to your PostgresSQL database running on AWS RDS! Now you can start creating tables, inserting data, and running queries.</p> <h2> Destroying Infra </h2> <p>Remember, infra has costs. When you are done experimenting, you can destroy the infra like follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Conclusion </h2> <p>In this guide, we learned how to provision a managed PostgresSQL database using Amazon RDS with Terraform. We created a dedicated RDS module, defined security groups, and subnet groups, and integrated the database into our existing infrastructure. With the database up and running, you can now build applications that leverage its capabilities for data storage and retrieval.</p> <p>Usually the connection to the database should be done from application servers running in private subnets for security reasons. In production scenarios, consider additional aspects such as automated backups, monitoring, scaling, and high availability configurations. Explore more about RDS features in the <a href="https://docs.aws.amazon.com/rds/index.html" rel="noopener noreferrer">Amazon RDS Documentation</a>.</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provision-aws-secret-manager-retrieval-of-secrets-4g6b">AWS Secrets Manager</a> | <strong>Next:</strong> <a href="https://dev.to/vvasylkovskyi/load-test-4agk">Load Testing Infrastructure</a></p> aws database postgres terraform Viktor Vasylkovskyi Wed, 06 May 2026 15:56:10 +0000 https://forem.com/vvasylkovskyi/provision-aws-secret-manager-retrieval-of-secrets-4g6b https://forem.com/vvasylkovskyi/provision-aws-secret-manager-retrieval-of-secrets-4g6b <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provision-cloudfront-cdn-with-terraform-94m">CloudFront CDN with Terraform</a></p> <p>Every modern web app has secrets that need to be shared securely with it. You web application may need to have a environment variable like an API key. That key should be stored in <a href="https://aws.amazon.com/secrets-manager/" rel="noopener noreferrer">AWS secrets manager</a>, it is a great use case for us to learn about how to give access to instance to the secret.</p> <h2> Overview </h2> <p>We are going to create infra same as before but with the secrets manager integrated</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fosbwo11zjun6hxlpspp4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fosbwo11zjun6hxlpspp4.png" alt=" " width="800" height="282"></a></p> <h2> Github Repository </h2> <p>This guide full code is available in <a href="https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v7-secrets" rel="noopener noreferrer">https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v7-secrets</a>. Feel free to clone it and follow along!</p> <h2> Creating a Secret in AWS Secret Manager </h2> <p>Now lets add the actual secrets. We need to add secrets only once, and then reference them. This is the process that we will repeat everytime the secret has to be updated. Let's do this from a command line using <code>aws</code> cli:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws secretsmanager create-secret <span class="se">\</span> <span class="nt">--name</span> <span class="s2">"my_app/v1/credentials"</span> <span class="se">\</span> <span class="nt">--description</span> <span class="s2">"Application credentials"</span> <span class="se">\</span> <span class="nt">--secret-string</span> <span class="s1">'{ "my_api_key": "your-api-key", }'</span> </code></pre> </div> <p>This command will create the secret values. If everything goes well, you should see an output like below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">{</span> <span class="s2">"ARN"</span>: <span class="s2">"arn:aws:secretsmanager:us-east-1:088656249151:secret:&lt;your-service&gt;/&lt;some-path&gt;/credentials-MhS9Um"</span>, <span class="s2">"Name"</span>: <span class="s2">"&lt;your-service&gt;/&lt;some-path&gt;/credentials"</span>, <span class="s2">"VersionId"</span>: <span class="s2">"61c33df3-6e38-4f7f-8b9d-fda8bad3c880"</span> <span class="o">}</span> </code></pre> </div> <p>That output indicates your newly created secrets container with the secret.</p> <h2> Adding a secret </h2> <p>Now, we can add a dummy secret value. This can be done via UI, or CLI. Here is an example using CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">## Update secrets</span> <span class="c">#!/bin/bash</span> <span class="c"># Check if .env file exists</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> .env <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Error: .env file not found!"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># Read .env file and create JSON string</span> <span class="nv">JSON_STRING</span><span class="o">=</span><span class="s2">"{"</span> <span class="nv">FIRST</span><span class="o">=</span><span class="nb">true </span><span class="k">while </span><span class="nv">IFS</span><span class="o">=</span><span class="s1">'='</span> <span class="nb">read</span> <span class="nt">-r</span> key value<span class="p">;</span> <span class="k">do</span> <span class="c"># Skip empty lines and comments</span> <span class="o">[[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$key</span><span class="s2">"</span> <span class="o">||</span> <span class="s2">"</span><span class="nv">$key</span><span class="s2">"</span> <span class="o">=</span>~ ^# <span class="o">]]</span> <span class="o">&amp;&amp;</span> <span class="k">continue</span> <span class="c"># Remove quotes from value</span> <span class="nv">value</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$value</span><span class="s2">"</span> | <span class="nb">sed</span> <span class="s1">'s/^"//;s/"$//'</span><span class="si">)</span> <span class="c"># Add comma if not first item</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$FIRST</span><span class="s2">"</span> <span class="o">=</span> <span class="nb">true</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nv">FIRST</span><span class="o">=</span><span class="nb">false </span><span class="k">else </span><span class="nv">JSON_STRING</span><span class="o">=</span><span class="s2">"</span><span class="nv">$JSON_STRING</span><span class="s2">,"</span> <span class="k">fi</span> <span class="c"># Add key-value pair to JSON</span> <span class="nv">JSON_STRING</span><span class="o">=</span><span class="s2">"</span><span class="nv">$JSON_STRING</span><span class="se">\"</span><span class="nv">$key</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="nv">$value</span><span class="se">\"</span><span class="s2">"</span> <span class="k">done</span> &lt; .env <span class="nv">JSON_STRING</span><span class="o">=</span><span class="s2">"</span><span class="nv">$JSON_STRING</span><span class="s2">}"</span> <span class="c"># Check if secret exists</span> <span class="k">if </span>aws secretsmanager describe-secret <span class="nt">--secret-id</span> <span class="s2">"my_app/v1/credentials"</span> <span class="o">&gt;</span>/dev/null 2&gt;&amp;1<span class="p">;</span> <span class="k">then</span> <span class="c"># Update existing secret</span> aws secretsmanager update-secret <span class="se">\</span> <span class="nt">--secret-id</span> <span class="s2">"my_app/v1/credentials"</span> <span class="se">\</span> <span class="nt">--secret-string</span> <span class="s2">"</span><span class="nv">$JSON_STRING</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Secret updated successfully!"</span> <span class="k">else</span> <span class="c"># Create new secret</span> aws secretsmanager create-secret <span class="se">\</span> <span class="nt">--name</span> <span class="s2">"portfolio/app/credentials"</span> <span class="se">\</span> <span class="nt">--description</span> <span class="s2">"Application credentials"</span> <span class="se">\</span> <span class="nt">--secret-string</span> <span class="s2">"</span><span class="nv">$JSON_STRING</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Secret created successfully!"</span> <span class="k">fi</span> </code></pre> </div> <p>The above script will read the <code>.env</code> file from a local folder, convert it to JSON format, and then either create a new secret or update an existing one in AWS Secrets Manager.</p> <p>Now let's create an <code>.env</code> file in the same folder as the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">my_api_key</span><span class="o">=</span><span class="s2">"your-api-key"</span> <span class="c"># Note, the new line is important at the end of the file</span> </code></pre> </div> <p>Let's run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bash update-secrets.sh <span class="c"># Output below</span> <span class="o">{</span> <span class="s2">"ARN"</span>: <span class="s2">"arn:aws:secretsmanager:us-east-1:088656249151:secret:my_app/v1/credentials-5x50LZ"</span>, <span class="s2">"Name"</span>: <span class="s2">"my_app/v1/credentials"</span>, <span class="s2">"VersionId"</span>: <span class="s2">"8202b548-5236-45d2-94f4-4d87d146ad00"</span> <span class="o">}</span> Secret updated successfully! </code></pre> </div> <h2> Provisioning AWS Secret Manager and using Secrets </h2> <p>Let's start using the secrets in our infrastructure:</p> <h3> Retrieving Secret Container </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/secrets/main.tf</span> <span class="nx">data</span> <span class="s2">"aws_caller_identity"</span> <span class="s2">"current"</span> <span class="p">{}</span> <span class="nx">data</span> <span class="s2">"aws_secretsmanager_secret"</span> <span class="s2">"app_secrets"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">credentials_name</span> <span class="p">}</span> </code></pre> </div> <p>The code above defines a new secret in AWS Secrets Manager. It doesn't contain the actual secret value, just metadata about the secret. The <code>name</code> parameter should match the secret name you created using AWS CLI.</p> <p><code>data "aws_caller_identity" "current" {}</code> is a special AWS data source that provides information about the AWS account and IAM principal (user or role) currently being used to make API calls. It requires no arguments and returns three key pieces of information:</p> <ul> <li> <code>account_id</code> - Your AWS account number</li> <li> <code>arn</code> - The ARN (Amazon Resource Name) of the IAM user or role</li> <li> <code>user_id</code> - The unique identifier of the IAM user or role</li> </ul> <h3> Getting Secret Value </h3> <p>Next, we will define a data source to retrieve the secret value:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/secrets/main.tf</span> <span class="nx">data</span> <span class="s2">"aws_secretsmanager_secret_version"</span> <span class="s2">"current"</span> <span class="p">{</span> <span class="nx">secret_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_secretsmanager_secret</span><span class="p">.</span><span class="nx">app_secrets</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>We are using <code>id</code> from the previous data source to find the correct secret. By default it gets the latest version of the secret.</p> <p>Since the secret is a JSON string, we use <code>jsondecode</code> to convert this into Terraform map. We have to provide the <code>variables.tf</code> and <code>outputs.tf</code> files as well:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/secrets/variables.tf</span> <span class="nx">variable</span> <span class="s2">"credentials_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/secrets/outputs.tf</span> <span class="nx">output</span> <span class="s2">"secrets"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">jsondecode</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">aws_secretsmanager_secret_version</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">secret_string</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Now, to use it in main module and in our ec-2 instance, we can do the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">module</span> <span class="s2">"secrets"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/secrets"</span> <span class="nx">credentials_name</span> <span class="p">=</span> <span class="s2">"my_app/v1/credentials"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"ec2_first_instance"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/ec2"</span> <span class="nx">instance_ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">security_group</span><span class="p">.</span><span class="nx">security_group_id</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">public_subnet_ids</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">ssh_public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="nx">ssh_key_name</span> <span class="p">=</span> <span class="s2">"ec2-key-first-instance"</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> #!/bin/bash sudo apt-get update -y sudo apt-get install -y docker.io sudo systemctl start docker sudo systemctl enable docker # Add user to docker group sudo usermod -aG docker $USERNAME sudo docker run -d -p 80:80 \ -e MY_API_KEY=${module.secrets.secrets.my_api_key} \ nginx </span><span class="no"> EOF </span><span class="p">}</span> <span class="nx">module</span> <span class="s2">"ec2_second_instance"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/ec2"</span> <span class="nx">instance_ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">security_group</span><span class="p">.</span><span class="nx">security_group_id</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">public_subnet_ids</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="nx">ssh_public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="c1"># Note, you can use the same public key for both instances, but not recommended for production</span> <span class="nx">ssh_key_name</span> <span class="p">=</span> <span class="s2">"ec2-key-second-instance"</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> #!/bin/bash sudo apt-get update -y sudo apt-get install -y docker.io sudo systemctl start docker sudo systemctl enable docker # Add user to docker group sudo usermod -aG docker $USERNAME sudo docker run -d -p 80:80 \ -e MY_API_KEY=${module.secrets.secrets.my_api_key} \ nginx </span><span class="no"> EOF </span><span class="p">}</span> </code></pre> </div> <p>Note that we are passing the secret value as an environment variable to the docker container using <code>-e</code> (environment variable) flag. Let's apply the changes here to ensure nothing breaks so far. Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init terraform apply <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Testing the setup </h2> <p>To test if our setup is working, we can SSH into our EC-2 instance and check if the environment variable is set correctly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh-add path/to/your/private-key.pem <span class="c"># Adds your private key to the ssh-agent</span> ssh ubuntu@&lt;EC2_PUBLIC_IP&gt; <span class="c"># Replace with your EC2 public IP</span> <span class="c">## Inside the EC2 instance, run:</span> ubuntu@ip-10-0-61-134:~<span class="nv">$ </span><span class="nb">sudo </span>docker ps <span class="c"># Outputs:</span> CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e4dba1c33ac9 nginx <span class="s2">"/docker-entrypoint.…"</span> 3 seconds ago Up 1 second 0.0.0.0:80-&gt;80/tcp, :::80-&gt;80/tcp recursing_haslett </code></pre> </div> <p>The above command shows that our nginx container is running. Now, let's check if the environment variable is set correctly inside the container:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>docker <span class="nb">exec</span> <span class="nt">-it</span> e4dba1c33ac9 /bin/bash <span class="c"># Replace with your container ID, you can get it from `docker ps` command</span> <span class="c">## Inside the container</span> root@e4dba1c33ac9:/# <span class="nb">echo</span> <span class="nv">$MY_API_KEY</span> <span class="c">## Outputs</span> your-api-key </code></pre> </div> <h2> Destroying Infra </h2> <p>Remember, infra has costs. When you are done experimenting, you can destroy the infra like follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Conclusion </h2> <p>So far this might have worked, but the secrets now get stored in plain text on the EC-2 instance. This is not ideal from security perspective. For instance, anyone with SSH access to the EC-2 instance can see the user data as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://169.254.169.254/latest/user-data <span class="c"># Reveals user data in plain text</span> <span class="c">#!/bin/bash</span> <span class="nb">sudo </span>apt-get update <span class="nt">-y</span> <span class="nb">sudo </span>apt-get <span class="nb">install</span> <span class="nt">-y</span> docker.io <span class="nb">sudo </span>systemctl start docker <span class="nb">sudo </span>systemctl <span class="nb">enable </span>docker <span class="c"># Add user to docker group</span> <span class="nb">sudo </span>usermod <span class="nt">-aG</span> docker <span class="nv">$USERNAME</span> <span class="nb">sudo </span>docker run <span class="nt">-d</span> <span class="nt">-p</span> 80:80 <span class="se">\</span> <span class="nt">-e</span> <span class="nv">MY_API_KEY</span><span class="o">=</span>your-api-key <span class="se">\</span> nginx </code></pre> </div> <p>So while this tutorial shows how to setup the secrets store with AWS (Which you should do), the retrieval of secrets approach is not secure. Although it works. Providing a secure way is our of scope for now, since we are focusing on setting up a running infra rather than secure. Baby steps.</p> <p>Next, we will explore the next very important resource in AWS - The RDS (Relational Database Service) and see how to provision a managed database in AWS.</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provision-cloudfront-cdn-with-terraform-94m">CloudFront CDN with Terraform</a> | <strong>Next:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-postgressql-rdbms-on-aws-with-terraform-apc">Provisioning PostgreSQL RDS</a></p> aws devops security terraform Viktor Vasylkovskyi Wed, 06 May 2026 15:55:36 +0000 https://forem.com/vvasylkovskyi/provision-cloudfront-cdn-with-terraform-94m https://forem.com/vvasylkovskyi/provision-cloudfront-cdn-with-terraform-94m <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-application-load-balancer-and-connecting-it-to-ec-2-instance-using-terraform-4po7">Application Load Balancer SSL</a></p> <p>Previously we have seen how to setup an EC-2 instance, run a simple web server and expose it at your domain using Route53. This allows us to access our web server using HTTP at port 80. If you haven't read about it, please refer to the previous notes:</p> <ul> <li><a href="https://dev.to/vvasylkovskyi/deploying-ec2-instance-on-aws-with-terraform-2h00">Deploying EC2 instance on AWS with Terraform</a></li> <li><a href="https://dev.to/vvasylkovskyi/provision-dns-records-with-terraform-2oja">Provision DNS records with Terraform</a></li> </ul> <p>The natural next step in that setup is to use HTTPS (HTTP + SSL) and enforce access at port 443 instead. We will do it here by adding Cloudfront and ACM to our terraform setup. Let's dive in.</p> <h2> Adding Cloudfront distribution </h2> <p>I will confess that it is not super easy to add CloudFront + ACM for HTTPS for a beginner, so I will break down the steps from simplest cloud architecture to most complicated one hopefully clarifying the steps and the reason for taking them.</p> <p>First step to add an HTTPS using Cloudfront is naturally to create a Cloudfront distribution. Cloudfront distribution is a CDN network that expands copies of your data towards other geographical locations. From the programmer point of view, Cloudfront is a URL - the distribution URL that uses the content from the <code>origin</code>. Hence these are the two fundamental pieces that we need for now to make sure the distribution works. So let's dive in.</p> <h3> Adding Cloudfront - Creating Origin Server </h3> <p>First thing is to define our origin endpoint. We can do it using Route53, where the origin is a URL pointing to our Ec-2 instance. Let's do it<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/dns/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_route53_zone"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"viktorvasylkovskyi.com"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"origin"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">main_zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">domain_name</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">ttl</span> <span class="p">=</span> <span class="mi">300</span> <span class="nx">records</span> <span class="p">=</span> <span class="p">[</span><span class="kd">var</span><span class="p">.</span><span class="nx">origin_ip</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Make sure to add the variables in <code>variables.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/dns/variables.tf</span> <span class="k">variable</span> <span class="s2">"main_zone_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"domain_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"origin_ip"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>And the origin_ip is going to be the public IP of our Ec-2 instance. So in the main <code>tf</code> file we need to update the module call:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># main.tf</span> <span class="k">module</span> <span class="s2">"dns"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/dns"</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="s2">"origin.your-domain.com"</span> <span class="nx">main_zone_id</span> <span class="p">=</span> <span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">origin_ip</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">public_ip</span> <span class="p">}</span> </code></pre> </div> <p>And let's make sure to output the FQDN of our origin:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/dns/outputs.tf</span> <span class="k">output</span> <span class="s2">"origin_dns_record"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_route53_record</span><span class="p">.</span><span class="nx">origin</span><span class="p">.</span><span class="nx">fqdn</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The FQDN of the origin Route53 record"</span> <span class="p">}</span> </code></pre> </div> <p>You can test now by running <code>terraform apply</code>. Note, this <code>origin.your-domain.com</code> is going to be available on HTTP now.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy40d5whd1guo2f5iksii.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy40d5whd1guo2f5iksii.png" alt=" " width="534" height="144"></a></p> <h3> Adding Cloudfront - Define Distribution </h3> <p>Now that we have an origin, we can create distribution:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/cloudfront/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_cloudfront_distribution"</span> <span class="s2">"cdn"</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">default_root_object</span> <span class="p">=</span> <span class="s2">"index.html"</span> <span class="nx">origin</span> <span class="p">{</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">aws_route53_origin_fqdn</span> <span class="nx">origin_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">aws_route53_origin_fqdn</span> <span class="nx">custom_origin_config</span> <span class="p">{</span> <span class="nx">http_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">https_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">origin_protocol_policy</span> <span class="p">=</span> <span class="s2">"http-only"</span> <span class="nx">origin_ssl_protocols</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"TLSv1.2"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">default_cache_behavior</span> <span class="p">{</span> <span class="nx">allowed_methods</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"GET"</span><span class="p">,</span> <span class="s2">"HEAD"</span><span class="p">]</span> <span class="nx">cached_methods</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"GET"</span><span class="p">,</span> <span class="s2">"HEAD"</span><span class="p">]</span> <span class="nx">target_origin_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">aws_route53_origin_fqdn</span> <span class="nx">forwarded_values</span> <span class="p">{</span> <span class="nx">query_string</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">cookies</span> <span class="p">{</span> <span class="nx">forward</span> <span class="p">=</span> <span class="s2">"none"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">viewer_protocol_policy</span> <span class="p">=</span> <span class="s2">"redirect-to-https"</span> <span class="nx">min_ttl</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">default_ttl</span> <span class="p">=</span> <span class="mi">3600</span> <span class="nx">max_ttl</span> <span class="p">=</span> <span class="mi">86400</span> <span class="p">}</span> <span class="nx">price_class</span> <span class="p">=</span> <span class="s2">"PriceClass_100"</span> <span class="nx">viewer_certificate</span> <span class="p">{</span> <span class="nx">cloudfront_default_certificate</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">restrictions</span> <span class="p">{</span> <span class="nx">geo_restriction</span> <span class="p">{</span> <span class="nx">restriction_type</span> <span class="p">=</span> <span class="s2">"none"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Whoa! that is a lot of configs. One of the main pieces there is the <code>target_origin_id</code>. This will be pointing to our <code>origin.your-domain.com</code>. For now we will use <code>cloudfront_default_certificate</code> which is CloudFront certificate.</p> <p>Let's add a variable and test output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/cloudfront/variables.tf</span> <span class="k">variable</span> <span class="s2">"aws_route53_origin_fqdn"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>And output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/cloudfront/outputs.tf</span> <span class="k">output</span> <span class="s2">"cloudfront_distribution_domain_name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_cloudfront_distribution</span><span class="p">.</span><span class="nx">cdn</span><span class="p">.</span><span class="nx">domain_name</span> <span class="p">}</span> </code></pre> </div> <p>Also, if you followed through previous article on setting up the API Gateway, then make sure to remove the API Gateway related code from the <code>main.tf</code> and <code>variables.tf</code> files as we are not using it here. Additionally, ensure that you have the security group allowing HTTP from anywhere:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/security_group/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Security Group for API"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="p">...</span> <span class="nx">rest</span> <span class="nx">of</span> <span class="nx">the</span> <span class="nx">code</span> <span class="p">...</span> <span class="p">}</span> </code></pre> </div> <p>Finally, update the <code>main.tf</code> file to pass the origin FQDN to CloudFront module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># main.tf</span> <span class="k">module</span> <span class="s2">"cloudfront"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/cloudfront"</span> <span class="nx">aws_route53_origin_fqdn</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">dns</span><span class="p">.</span><span class="nx">origin_dns_record</span> <span class="p">}</span> </code></pre> </div> <p>Also, ensure that we have outputs for CloudFront distribution domain name:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># outputs.tf</span> <span class="k">output</span> <span class="s2">"cloudfront_distribution_domain_name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_cloudfront_distribution</span><span class="p">.</span><span class="nx">cdn</span><span class="p">.</span><span class="nx">domain_name</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"cloudfront_distribution_hosted_zone_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_cloudfront_distribution</span><span class="p">.</span><span class="nx">cdn</span><span class="p">.</span><span class="nx">hosted_zone_id</span> <span class="p">}</span> </code></pre> </div> <h2> Apply changes </h2> <p>Install the new module with <code>terraform init</code> and then run <code>terraform apply</code> and observe the <code>cloudfront_distribution_domain_name</code> output. It should return something like<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>d123456789abcdef.cloudfront.net. <span class="c"># example URL</span> </code></pre> </div> <p>If everything went well then you should be able to open the URL in the browser. (Notice the URL in browser)</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxodoeopdtjpa8d1fyzes.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxodoeopdtjpa8d1fyzes.png" alt=" " width="466" height="134"></a></p> <h2> Provision SSL Certificate </h2> <p>You can follow the previous guide on <a href="//./provision-ssl-certificate">Provisioning SSL Certificate</a> to provision the SSL certificate using ACM. Ensure that you have the certificate ARN available for use in the API Gateway module.</p> <h3> Adding CloudFront Distribution </h3> <p>In the next step we are going to create a cloudfront distribution which contains an endpoint with HTTPS termination and is a place where we are going to place our SSL certificate. First we need to set a rule to wait for the certificate to be validated before creating the distribution.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/cloudfront/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_cloudfront_distribution"</span> <span class="s2">"cdn"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="kd">var</span><span class="p">.</span><span class="nx">acm_certificate</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Ensure to add a variable for it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/cloudfront/variables.tf</span> <span class="k">variable</span> <span class="s2">"acm_certificate"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>And bring this certificate from the <code>main.tf</code> file, from ssl module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># main.tf</span> <span class="k">module</span> <span class="s2">"ssl_acm"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/acm"</span> <span class="nx">aws_route53_zone_id</span> <span class="p">=</span> <span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="p">}</span> <span class="k">module</span> <span class="s2">"cloudfront_cdn"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/cloudfront"</span> <span class="nx">aws_route53_origin_fqdn</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">aws_route53_record</span><span class="p">.</span><span class="nx">origin_dns_record</span> <span class="nx">acm_certificate</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">ssl_acm</span><span class="p">.</span><span class="nx">aws_acm_certificate_arn</span> <span class="p">}</span> </code></pre> </div> <h3> Use SSL Certificate in CloudFront </h3> <p>We can now change the <strong>Viewer certificate:</strong> on CloudFront to use our validated ACM certificate for <a href="https://www.your-domain.com" rel="noopener noreferrer">https://www.your-domain.com</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/cloudfront/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_cloudfront_distribution"</span> <span class="s2">"cdn"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="kd">var</span><span class="p">.</span><span class="nx">acm_certificate</span><span class="p">]</span> <span class="p">...</span> <span class="nx">other</span> <span class="nx">code</span> <span class="p">...</span> <span class="nx">viewer_certificate</span> <span class="p">{</span> <span class="nx">acm_certificate_arn</span> <span class="p">=</span> <span class="nx">aws_acm_certificate</span><span class="p">.</span><span class="nx">cert</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">ssl_support_method</span> <span class="p">=</span> <span class="s2">"sni-only"</span> <span class="nx">minimum_protocol_version</span> <span class="p">=</span> <span class="s2">"TLSv1.2_2021"</span> <span class="p">}</span> <span class="p">...</span> <span class="nx">other</span> <span class="nx">code</span> <span class="p">...</span> <span class="p">}</span> </code></pre> </div> <h3> Route 53 Record Pointing to CloudFront </h3> <p>Now that Cloudfront setup is done, it is going to be available between our ec2 instance and our DNS. So now we have the Cloudfront doing SSL and sending requests to the ec2 instance. The last step is to enable our DNS Route 53 to send.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/dns/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"origin"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">main_zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"origin.viktorvasylkovskyi.com"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">ttl</span> <span class="p">=</span> <span class="mi">300</span> <span class="nx">records</span> <span class="p">=</span> <span class="p">[</span><span class="kd">var</span><span class="p">.</span><span class="nx">origin_ip</span><span class="p">]</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"www"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">main_zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"www.viktorvasylkovskyi.com"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">alias</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">target_domain_name</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">hosted_zone_id</span> <span class="nx">evaluate_target_health</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>And make sure to use the correct variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/dns/variables.tf</span> <span class="k">variable</span> <span class="s2">"main_zone_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"target_domain_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"hosted_zone_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"origin_ip"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>This sets an alias A record in Route 53 so your domain <code>www.your-domain.com</code> points to the CloudFront distribution instead of the EC2 directly.</p> <p>Finally, let's glue it all together in the <code>main.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># main.tf</span> <span class="k">resource</span> <span class="s2">"aws_route53_zone"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"your-domain.com"</span> <span class="p">}</span> <span class="k">module</span> <span class="s2">"ssl_acm"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/acm"</span> <span class="nx">aws_route53_zone_id</span> <span class="p">=</span> <span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="p">}</span> <span class="k">module</span> <span class="s2">"cloudfront_cdn"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/cloudfront"</span> <span class="nx">aws_route53_origin_fqdn</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">aws_route53_record</span><span class="p">.</span><span class="nx">origin_dns_record</span> <span class="nx">acm_certificate</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">ssl_acm</span><span class="p">.</span><span class="nx">aws_acm_certificate_arn</span> <span class="p">}</span> <span class="k">module</span> <span class="s2">"aws_route53_record"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/dns"</span> <span class="nx">main_zone_id</span> <span class="p">=</span> <span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">origin_ip</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">public_ip</span> <span class="nx">target_domain_name</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">cloudfront_cdn</span><span class="p">.</span><span class="nx">cloudfront_distribution_domain_name</span> <span class="nx">hosted_zone_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">cloudfront_cdn</span><span class="p">.</span><span class="nx">cloudfront_distribution_hosted_zone_id</span> <span class="p">}</span> </code></pre> </div> <p>Lastly, let's not forget to expose port 443 in our VPC security group:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># security_group.tf</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"my-app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"SSH Port"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">...</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"0.0.0.0/0"</span> <span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="p">...</span> <span class="p">}</span> </code></pre> </div> <h3> Output </h3> <p>Finally, let's add some output for debugging:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># output.tf</span> <span class="k">output</span> <span class="s2">"https_url"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"https://www.your-domain.com"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Public HTTPS endpoint for the EC2 app."</span> <span class="p">}</span> </code></pre> </div> <p>All should be working now, lets try to provision our new infrastructure. Run: <code>terraform apply --auto-approve</code>.</p> <h2> Final Validations </h2> <p>You should be able to open your app using <code>https://www.your-domain.com</code>. However if it is not working, we can troubleshoot:</p> <h3> Check DNS propagation </h3> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dig www.your-domain.com +short </code></pre> </div> <p>If it still returns an IP address, it means the A record is pointing directly to EC2 and not CloudFront — which won't support HTTPS directly.</p> <h2> Destroying Infra </h2> <p>Remember, infra has costs. When you are done experimenting, you can destroy the infra like follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Conclusion </h2> <p>We have covered quite a bit of things today:</p> <ul> <li>SSL certificate via ACM</li> <li>HTTPS access via CloudFront</li> <li>DNS validation using Route 53</li> <li>A secure, CDN-backed endpoint for your EC2 app at <a href="https://www.your-domain.com" rel="noopener noreferrer">https://www.your-domain.com</a> </li> </ul> <p>At this point you are well equipped to set you application in production as you now have HTTPS and a Ec-2 instance and can access to it via your domain name. Next, lets explore how to setup Application Load Balancer in front of our EC-2 instance. Continue reading the <a href="//./provisioning-alb-as-ssl-termination-and-ec2">Provision Application Load Balancer with Terraform</a>.</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-application-load-balancer-and-connecting-it-to-ec-2-instance-using-terraform-4po7">Application Load Balancer SSL</a> | <strong>Next:</strong> <a href="https://dev.to/vvasylkovskyi/provision-aws-secret-manager-retrieval-of-secrets-4g6b">AWS Secrets Manager</a></p> aws infrastructure terraform tutorial Viktor Vasylkovskyi Wed, 06 May 2026 15:55:14 +0000 https://forem.com/vvasylkovskyi/provisioning-application-load-balancer-and-connecting-it-to-ec-2-instance-using-terraform-4po7 https://forem.com/vvasylkovskyi/provisioning-application-load-balancer-and-connecting-it-to-ec-2-instance-using-terraform-4po7 <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-api-gateway-and-connecting-it-to-ec-2-instance-using-terraform-48ib">API Gateway SSL Termination</a></p> <p>In this notes we will continue improving on our infrastructure by adding HTTPS to our web app.</p> <p>Due to extra complexity in requirements of setting up the ALB, our network topology will suffer some changes. For example, a load balancer requires two availability zones to run in AWS. This means extra configuration overhead which we will have to work with.</p> <p>As a bonus, since we will have multiple availability zones, we are going to showcase in the end of this guide how to make ALB work with 2 EC-2 instances. And you could scale to as much instances as you want!</p> <h2> Architecture Overview </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa3m1le29ket44gb900uf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa3m1le29ket44gb900uf.png" alt=" " width="800" height="247"></a></p> <p>We will do the following:</p> <ul> <li>Modify Network so that we have two subnets in two availability zones. This is required for load balancer to work.</li> <li>Provision SSL certificate using ACM, for load balancer</li> <li>Provision Load Balancer itself, and make it proxy requests to the EC-2 instances</li> <li>Update Route53 to point our DNS to the Load Balancer</li> <li>Update Ec-2 to serve slightly different app for demonstration purposes</li> </ul> <h2> Github Repository </h2> <p>This guide full code is available in <a href="https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v6-ssl-load-balancer" rel="noopener noreferrer">https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v6-ssl-load-balancer</a>. Feel free to clone it and follow along!</p> <h2> Modify Network module to have multiple availability zones </h2> <p>In the <code>modules/network</code>, change the <code>main.tf</code> to include multiple availability zones:</p> <p>For simplicity, we will define only two public subnets, without private subnets.</p> <h4> List Availability Zones </h4> <p>First, we will define a resource listing availability zones.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/network/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"aws_availability_zones"</span> <span class="s2">"available"</span> <span class="p">{}</span> </code></pre> </div> <p>This resource returns a list of all AZ available in the region configured in the AWS credentials.</p> <h4> Add two public subnets </h4> <p>We will be using the terraform <code>count</code> directive. <code>count</code> is used as a loop, so we can define some resource multiple times. Since we only need two public subnets, naturaly the <code>count=2</code>. Let's write two public subnets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/network/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">cidr_block</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">2</span> <span class="err">+</span> <span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">)</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_availability_zones</span><span class="p">.</span><span class="nx">available</span><span class="p">.</span><span class="nx">names</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p>We are referencing the <code>data.aws_availability_zones.available.names</code> defined about to choose an availability name in our <code>vpc</code>. Besides that, we need the route table to define how network traffic is directed within our VPC (i.e., after internet gateway).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/network/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_internet_gateway"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The above code will create a route table for our VPC. The <code>route</code> says that all the outbound traffic <code>0.0.0.0/0</code> will be directed to the internet via the VPC's Internet Gateway. This piece of code essentially makes our subnet using this route table <em>public</em>. Now this route table is attached to our VPC, but not to subnet. To attach it to our two subnets, we need to create an association between subnets and this route table:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/network/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">].</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">public</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>Finally, we will make our route table a main one, just to leave explicit association.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/network/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_main_route_table_association"</span> <span class="s2">"public_main"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">public</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>Let's expose the public subnet IDs as output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/network/outputs.tf</span> <span class="nx">output</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"public_subnet_ids"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public</span><span class="p">[*].</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h2> Provision SSL Certificate </h2> <p>Let's create an ACM resource. You can follow the previous guide on <a href="https://dev.to/vvasylkovskyi/provisioning-ssl-certificate-109a">Provisioning SSL Certificate</a> to provision the SSL certificate using ACM. Ensure that you have the certificate ARN available for use in the API Gateway module.</p> <h2> Provisioning AWS Load Balancer </h2> <p>Now that we have network and SSL certificate, we can start provisioning load balancer itself.</p> <h3> Creating ALB </h3> <p>First, let's create ALB resource:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/alb/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_lb"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"my-app-alb"</span> <span class="nx">internal</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">load_balancer_type</span> <span class="p">=</span> <span class="s2">"application"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">my_alb</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnets</span> <span class="p">}</span> </code></pre> </div> <p>Load balancer will to be inserted in front of our public subnets (hence the <code>internal=false</code>), i.e, the subnets that we have just created. The <code>load_balancer_type=application</code> is the typical for most web applications. Alternatives are <code>network</code> and <code>gateway</code>.</p> <p>The security group for ALB needs to allow igress for 443 (SSL) and egress for everything is fine for now.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/alb/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"my_alb"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Security Group for Application Load Balancer"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Note we are passing multiple <code>subnets</code> created in the network module above. Let's define them as variable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/alb/variables.tf</span> <span class="nx">variable</span> <span class="s2">"subnets"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <h3> Provision ALB Target Group and ALB Listener </h3> <p>The ALB Listener and ALB Target Group are input and output rules of ALB. We will define that ALB accepts requests at port 443 and use <code>certificate_arn</code> our SSL certificate. The only action ALB will do is HTTPS termination and then a simple forward to the ALB Target group - our cluster.</p> <p><strong>Begin with defining ALB Listener:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/alb/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_lb_listener"</span> <span class="s2">"https"</span> <span class="p">{</span> <span class="nx">load_balancer_arn</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTPS"</span> <span class="nx">ssl_policy</span> <span class="p">=</span> <span class="s2">"ELBSecurityPolicy-2016-08"</span> <span class="nx">certificate_arn</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">acm_certificate_cert_arn</span> <span class="nx">default_action</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"forward"</span> <span class="nx">target_group_arn</span> <span class="p">=</span> <span class="nx">aws_lb_target_group</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">acm_certificate_cert</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>And now, we have to define our target group: <code>target_group_arn</code>.</p> <p><strong>Defining our Target Group:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/alb/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_lb_target_group"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"my-app-tg"</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">health_check</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">matcher</span> <span class="p">=</span> <span class="s2">"200-399"</span> <span class="nx">interval</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="mi">15</span> <span class="nx">healthy_threshold</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">unhealthy_threshold</span> <span class="p">=</span> <span class="mi">5</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_lb</span><span class="p">.</span><span class="nx">my_app</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>From our load balancer we will forward requests into our cluster, which contains Ec-2 instances listening on port 80. Since we are in our subnet, it is safe to use HTTP. The <code>health_check</code> block defines which URL the ALB uses to decide if the target containers are healthy. Here we define the base URL since this is our simples python server application. You can read more information about <a href="https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-health-checks.html" rel="noopener noreferrer">health checks on AWS docs</a>. <code>healthy_threshold</code> and <code>unhealthy_threshold</code> define how many (failed) healthchecks a target should be evaluated as healthy or unhealthy. These healthchecks are performed in intervals of seconds defined in interval.</p> <p>Let's not forget to define the additional variables in <code>variables.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/alb/variables.tf</span> <span class="nx">variable</span> <span class="s2">"subnets"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"acm_certificate_cert_arn"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"acm_certificate_cert"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">object</span><span class="p">({</span> <span class="nx">arn</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">id</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h3> Attach EC-2 to the Target Group </h3> <p>For Load Balancer to forward requests to the EC-2, we need to attach it to the target group. This is done using <code>aws_lb_target_group_attachment</code> resource:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_lb_target_group_attachment"</span> <span class="s2">"ec2_attachment"</span> <span class="p">{</span> <span class="nx">target_group_arn</span> <span class="p">=</span> <span class="nx">aws_lb_target_group</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ec2_first_instance_id</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">80</span> <span class="p">}</span> </code></pre> </div> <p>Note port 80 is the HTTP but it is fine, since we already checked for SSL at the load balancer listener.</p> <p>Let's add a variable for <code>ec2_first_instance_id</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/alb/variables.tf</span> <span class="nx">variable</span> <span class="s2">"ec2_first_instance_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>Note, we have called it <code>ec2_first_instance_id</code> because we will be adding more EC-2 instances later. Let's ensure setup works with one instance first... Oh well! It is not that hard. Let's prepare out load balancer to accept array of ec2 instances already</p> <p><strong>Variables</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/alb/variables.tf</span> <span class="nx">variable</span> <span class="s2">"ec2_instance_ids"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><strong>Attachment Resource</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/alb/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_lb_target_group_attachment"</span> <span class="s2">"ec2_attachment"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">ec2_instance_ids</span><span class="p">)</span> <span class="nx">target_group_arn</span> <span class="p">=</span> <span class="nx">aws_lb_target_group</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ec2_instance_ids</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">80</span> <span class="p">}</span> </code></pre> </div> <p>Note we are using the <code>count</code> directive to loop over all the EC-2 instance IDs passed in the variable <code>ec2_instance_ids</code>.</p> <p><strong>Outputs</strong></p> <p>And lets expose the DNS name and zone ID of the load balancer for later use in Route53:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/alb/outputs.tf</span> <span class="nx">output</span> <span class="s2">"dns_name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">dns_name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"zone_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">zone_id</span> <span class="p">}</span> </code></pre> </div> <h2> Update Route53 to Point to ALB </h2> <p>We have HTTPS on our ALB, now we have to make DNS point to ALB.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/dns/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"record"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">domain_name</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">alias</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_dns_name</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_zone_id</span> <span class="nx">evaluate_target_health</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>and Outputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/dns/outputs.tf</span> <span class="nx">output</span> <span class="s2">"www_dns_record"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_route53_record</span><span class="p">.</span><span class="nx">www</span><span class="p">.</span><span class="nx">fqdn</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The FQDN of the www Route53 record"</span> <span class="p">}</span> </code></pre> </div> <h2> Update Ec-2 to use the subnets from the network module </h2> <p>The Ec-2 instance also needs to be updated to use one of the two public subnets created in the network module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/ec2/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_key_pair"</span> <span class="s2">"ssh-key"</span> <span class="p">{</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_key_name</span> <span class="nx">public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">security_group_name</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">availability_zone</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">associate_public_ip_address</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_id</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="nx">aws_key_pair</span><span class="p">.</span><span class="nx">ssh-key</span><span class="p">.</span><span class="nx">key_name</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> #!/bin/bash sudo yum update -y || sudo apt-get update -y sudo yum install -y python3 || sudo apt-get install -y python3 echo "&lt;html&gt;&lt;body&gt;&lt;h1&gt;Hello from Terraform EC2!&lt;/h1&gt;&lt;/body&gt;&lt;/html&gt;" &gt; index.html nohup python3 -m http.server 80 &amp; </span><span class="no"> EOF </span><span class="p">}</span> </code></pre> </div> <h2> Now let's glue everything together in the Root Module </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">shared_credentials_files</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"./.aws-credentials"</span><span class="p">]</span> <span class="nx">profile</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/network"</span> <span class="nx">vpc_cidr</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">subnet_cidr</span> <span class="p">=</span> <span class="s2">"10.0.1.0/24"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">availability_zone</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"ec2_first_instance"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/ec2"</span> <span class="nx">instance_ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">availability_zone</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">public_subnet_ids</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">ssh_public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="nx">ssh_key_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_key_name</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_route53_zone"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"viktorvasylkovskyi.com"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"ssl_acm"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/acm"</span> <span class="nx">aws_route53_zone_id</span> <span class="p">=</span> <span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"alb"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/alb"</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">public_subnet_ids</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">acm_certificate_arn</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ssl_acm</span><span class="p">.</span><span class="nx">aws_acm_certificate_arn</span> <span class="nx">aws_acm_certificate_cert</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ssl_acm</span><span class="p">.</span><span class="nx">aws_acm_certificate_cert</span> <span class="nx">ec2_instance_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="p">.</span><span class="nx">ec2_first_instance</span><span class="p">.</span><span class="nx">instance_id</span><span class="p">]</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"aws_route53_record"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/dns"</span> <span class="nx">main_zone_id</span> <span class="p">=</span> <span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">target_domain_name</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">alb</span><span class="p">.</span><span class="nx">dns_name</span> <span class="nx">hosted_zone_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">alb</span><span class="p">.</span><span class="nx">zone_id</span> <span class="p">}</span> </code></pre> </div> <h2> Creating second EC-2 instance </h2> <p>We need to alter out ec2 module so that we can create multiple instances.</p> <h3> Single SSH Key Pair per EC-2 instance </h3> <p>One of the things we have to change is the SSH key pair. Each EC-2 instance needs to have its own key pair. So we will add a variable <code>ssh_key_name</code> to the ec2 module. Same to the <code>security_group_name</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/ec2/variables.tf</span> <span class="nx">variable</span> <span class="s2">"instance_ami"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"availability_zone"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"ssh_public_key"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"ssh_key_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"security_group_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>And int he <code>main.tf</code> of the ec2 module we will use this variable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/ec2/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_key_pair"</span> <span class="s2">"ssh-key"</span> <span class="p">{</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_key_name</span> <span class="nx">public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">security_group_name</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># ... rest of the code ...</span> </code></pre> </div> <h3> No hardcoding availability zone </h3> <p>We will also remove hardcoding of availability zone in the ec2 module, so that we can create multiple instances in different availability zones. Since we are already passing <code>subnet_id</code> to the ec2 module, we do not need to pass availability zone separately. So we can remove it from the variables and from the ec2 instance resource.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/ec2/variables.tf</span> <span class="nx">variable</span> <span class="s2">"instance_ami"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"security_group_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"ssh_public_key"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"ssh_key_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"security_group_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/ec2/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">associate_public_ip_address</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_id</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="nx">aws_key_pair</span><span class="p">.</span><span class="nx">ssh-key</span><span class="p">.</span><span class="nx">key_name</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> #!/bin/bash sudo yum update -y || sudo apt-get update -y sudo yum install -y python3 || sudo apt-get install -y python3 echo "&lt;html&gt;&lt;body&gt;&lt;h1&gt;Hello from Terraform EC2!&lt;/h1&gt;&lt;/body&gt;&lt;/html&gt;" &gt; index.html nohup python3 -m http.server 80 &amp; </span><span class="no"> EOF </span><span class="p">}</span> </code></pre> </div> <p>To create a second EC-2 instance, we can simply duplicate the <code>ec2_first_instance</code> module call and change the subnet to the second public subnet created in the network module.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">module</span> <span class="s2">"ec2_first_instance"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/ec2"</span> <span class="nx">instance_ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">security_group_name</span> <span class="p">=</span> <span class="s2">"first-ec2-instance"</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">public_subnet_ids</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">ssh_public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="nx">ssh_key_name</span> <span class="p">=</span> <span class="s2">"ec2-key-first-instance"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"ec2_second_instance"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/ec2"</span> <span class="nx">instance_ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">security_group_name</span> <span class="p">=</span> <span class="s2">"second-ec2-instance"</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">public_subnet_ids</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="nx">ssh_public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="c1"># Note, you can use the same public key for both instances, but not recommended for production</span> <span class="nx">ssh_key_name</span> <span class="p">=</span> <span class="s2">"ec2-key-second-instance"</span> <span class="p">}</span> <span class="c1"># ... other code ...</span> <span class="nx">module</span> <span class="s2">"alb"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/alb"</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">public_subnet_ids</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">acm_certificate_arn</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ssl_acm</span><span class="p">.</span><span class="nx">aws_acm_certificate_arn</span> <span class="nx">aws_acm_certificate_cert</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ssl_acm</span><span class="p">.</span><span class="nx">aws_acm_certificate_cert</span> <span class="nx">ec2_instance_ids</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ec2_first_instance</span><span class="p">.</span><span class="nx">instance_id</span><span class="p">,</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ec2_second_instance</span><span class="p">.</span><span class="nx">instance_id</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> Custom Initializing of ec-2 user data </h3> <p>To make things a little more interesting, let's change the <code>user_data</code> of the ec-2 instances to show which instance is serving the request. We can do that by changing the <code>user_data</code> in the ec2 module to accept a variable <code>user_data</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/ec2/variables.tf</span> <span class="nx">variable</span> <span class="s2">"instance_ami"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"security_group_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"ssh_public_key"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"ssh_key_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"security_group_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"user_data"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <h3> Setting user data in ec2 module, start docker container </h3> <p>To test our setup and load balancer work, we need to see both ec-2 instances serving different content. We can do that by passing different <code>user_data</code> to each ec-2 instance module call. Of course, in production you will probably want them to be the same to achieve redundancy and make load balancer worth its while. Here we are doing it for the demonstration purposes only.</p> <p>First, let's update the ec2 module to use the <code>user_data</code> variable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/ec2/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">security_group_id</span><span class="p">]</span> <span class="nx">associate_public_ip_address</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_id</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="nx">aws_key_pair</span><span class="p">.</span><span class="nx">ssh-key</span><span class="p">.</span><span class="nx">key_name</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">user_data</span> <span class="p">}</span> </code></pre> </div> <p>And now, we can pass different <code>user_data</code> to each ec-2 instance module call in the root module. Let's keep the <code>user_data</code> in the first ec-2 instance as is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"ec2_first_instance"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/ec2"</span> <span class="nx">instance_ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">public_subnet_ids</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">ssh_public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="nx">ssh_key_name</span> <span class="p">=</span> <span class="s2">"ec2-key-first-instance"</span> <span class="nx">security_group_name</span> <span class="p">=</span> <span class="s2">"first-ec2-instance"</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> #!/bin/bash sudo yum update -y || sudo apt-get update -y sudo yum install -y python3 || sudo apt-get install -y python3 echo "&lt;html&gt;&lt;body&gt;&lt;h1&gt;Hello from Terraform EC2!&lt;/h1&gt;&lt;/body&gt;&lt;/html&gt;" &gt; index.html nohup python3 -m http.server 80 &amp; </span><span class="no"> EOF </span><span class="p">}</span> </code></pre> </div> <p>And now, the second ec-2 instance will have different <code>user_data</code>. Let's make it server the docker image with nginx:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"ec2_second_instance"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/ec2"</span> <span class="nx">instance_ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">public_subnet_ids</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="nx">ssh_public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="c1"># Note, you can use the same public key for both instances, but not recommended for production</span> <span class="nx">ssh_key_name</span> <span class="p">=</span> <span class="s2">"ec2-key-second-instance"</span> <span class="nx">security_group_name</span> <span class="p">=</span> <span class="s2">"second-ec2-instance"</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> #!/bin/bash sudo apt-get update -y sudo apt-get install -y docker.io sudo systemctl start docker sudo systemctl enable docker # Add user to docker group sudo usermod -aG docker $USERNAME sudo docker run -d -p 80:80 nginx </span><span class="no"> EOF </span><span class="p">}</span> </code></pre> </div> <p>Finally, add outputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># outputs.tf</span> <span class="nx">output</span> <span class="s2">"ec2_first_instance_ip_address"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ec2_first_instance</span><span class="p">.</span><span class="nx">public_ip</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Elastic IP address allocated to the first EC2 instance."</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"ec2_second_instance_ip_address"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ec2_second_instance</span><span class="p">.</span><span class="nx">public_ip</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Elastic IP address allocated to the second EC2 instance."</span> <span class="p">}</span> </code></pre> </div> <h2> Testing the setup </h2> <p>Now run the following commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init terraform apply <span class="nt">--auto-approve</span> </code></pre> </div> <p>And observe the output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Outputs: ec2_first_instance_ip_address <span class="o">=</span> <span class="s2">"34.201.164.185"</span> ec2_second_instance_ip_address <span class="o">=</span> <span class="s2">"54.236.186.223"</span> </code></pre> </div> <p>Navigate to <code>https://www.your-domain.com</code> and see the magic happen!<br> Double check that you have two EC-2 instances serving the requests by refreshing the page multiple times.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq148emhz40887h27i0kr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq148emhz40887h27i0kr.png" alt=" " width="800" height="169"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fulqz2b0a7aydqxz80ub2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fulqz2b0a7aydqxz80ub2.png" alt=" " width="800" height="177"></a></p> <h2> Destroying Infra </h2> <p>Remember, infra has costs. When you are done experimenting, you can destroy the infra like follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Conclusion </h2> <p>Whoa! This was quite a journey. I am super glad you made it to the end. We have successfully provisioned an Application Load Balancer with SSL termination and connected it to multiple EC-2 instances using Terraform. This is a solid foundation for building scalable and secure web applications on AWS. For now this is the end of the road. However, there is lots of things to explore further, such as autoscaling groups, more complex health checks, and advanced routing rules.</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-api-gateway-and-connecting-it-to-ec-2-instance-using-terraform-48ib">API Gateway SSL Termination</a> | <strong>Next:</strong> <a href="https://dev.to/vvasylkovskyi/provision-cloudfront-cdn-with-terraform-94m">CloudFront CDN with Terraform</a></p> aws infrastructure terraform tutorial Viktor Vasylkovskyi Wed, 06 May 2026 15:54:40 +0000 https://forem.com/vvasylkovskyi/provisioning-api-gateway-and-connecting-it-to-ec-2-instance-using-terraform-48ib https://forem.com/vvasylkovskyi/provisioning-api-gateway-and-connecting-it-to-ec-2-instance-using-terraform-48ib <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-ssl-certificate-109a">Provision SSL Certificate</a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fldq8hvulkgixsfbkmfm4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fldq8hvulkgixsfbkmfm4.png" alt=" " width="800" height="237"></a></p> <p>The architecture of our infrastructure is going to change a bit now, as we have to accommodate the API Gateway in between our Ec-2 and the DNS resolution. The overall architecture looks like this:</p> <ul> <li>Provision SSL certificate using ACM, for our API Gateway</li> <li>Provision API Gateway itself, and make it proxy requests to EC-2 instance</li> <li>Update Route53 to point our DNS to the Load Balancer</li> <li>Update EC-2 Instance to enable port 80, and update the security group with rule to accept incoming traffic only from API Gateway.</li> </ul> <h2> Github Repository </h2> <p>This guide full code is available in <a href="https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v5-api-gateway" rel="noopener noreferrer">https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v5-api-gateway</a>. Feel free to clone it and follow along!</p> <h2> Provision SSL Certificate </h2> <p>You can follow the previous guide on <a href="https://dev.to/vvasylkovskyi/provisioning-ssl-certificate-109a">Provisioning SSL Certificate</a> to provision the SSL certificate using ACM. Ensure that you have the certificate ARN available for use in the API Gateway module.</p> <h2> Provisioning AWS API Gateway </h2> <p>Now that we have network and SSL certificate, we can start provisioning the API Gateway itself.</p> <h3> Creating API Gateway </h3> <p>First, let's create API Gateway resource:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/api-gateway/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_apigatewayv2_api"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">api_name</span> <span class="nx">protocol_type</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="p">}</span> </code></pre> </div> <p>The above creates an API Container for a new API Gateway HTTP API (v2 is the newer version). We tell the API name an tell it that it is an HTTP API. It could be also web socket one if using <code>protocol_type = WEBSOCKET</code>.</p> <h3> Creating Integration to Ec2 </h3> <p>Now, we are going to define the integration between our ec2 and the new api gateway:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/api-gateway/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_apigatewayv2_integration"</span> <span class="s2">"ec2"</span> <span class="p">{</span> <span class="nx">api_id</span> <span class="p">=</span> <span class="nx">aws_apigatewayv2_api</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">integration_type</span> <span class="p">=</span> <span class="s2">"HTTP_PROXY"</span> <span class="nx">integration_uri</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ec2_public_url</span> <span class="nx">integration_method</span> <span class="p">=</span> <span class="s2">"ANY"</span> <span class="nx">payload_format_version</span> <span class="p">=</span> <span class="s2">"1.0"</span> <span class="p">}</span> </code></pre> </div> <p>We define the both <code>uri</code>s above - the API Gateway and the EC-2 instance. <code>integration_type</code> tells that it is an HTTP Proxy meaning that all requests are forwarded into <code>integration_url</code> as is. <code>payload_format_version</code> is simply to ensure the request/response payload use HTTP/1.1 passthrough formatting.</p> <p>Notice that <code>ec2_public_url</code> has to be a full URL like: <code>"http://&lt;public-ec2-ip&gt;:8080"</code></p> <h3> Integration Routes </h3> <p>Now that we have integration done, we need to specify when to activate it, i.e., on which request route. In our case it is all the requests should be routed to EC-2, so we need to say "whatever the request route/path, proxy it to ec2". Saying it in terraform language is like following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/api-gateway/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_apigatewayv2_route"</span> <span class="s2">"proxy"</span> <span class="p">{</span> <span class="nx">api_id</span> <span class="p">=</span> <span class="nx">aws_apigatewayv2_api</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route_key</span> <span class="p">=</span> <span class="s2">"ANY /{proxy+}"</span> <span class="nx">target</span> <span class="p">=</span> <span class="s2">"integrations/${aws_apigatewayv2_integration.ec2.id}"</span> <span class="p">}</span> </code></pre> </div> <p>The <code>ANY</code> - match all HTTP methods: <code>GET</code>, <code>POST</code>, <code>PUT</code>, etc., <code>/{proxy+}</code> is to match any pathname, and the <code>target</code> is naturally the target our ec2 integration.</p> <h3> Adding Stage </h3> <p>API Gateways require definition of deployment and stage. Stages exist because API Gateway is designed for API lifecycle management. They allow us define environments like <code>dev</code> vs <code>prod</code>. Let's start coding it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/api-gateway/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_apigatewayv2_stage"</span> <span class="s2">"default"</span> <span class="p">{</span> <span class="nx">api_id</span> <span class="p">=</span> <span class="nx">aws_apigatewayv2_api</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"$default"</span> <span class="nx">auto_deploy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p>We will specify <code>$default</code> stage meaning we do not have production and dev environment, we only have 1 environment, since this is enough for our use case. Note, it bigger projects, we could have wanted multiple stages for better deployment strategies of API like separate environments (dev/staging/prod) but only a single API definition.</p> <ul> <li> <a href="https://api.example.com/dev/" rel="noopener noreferrer">https://api.example.com/dev/</a>... → forwards to dev EC2</li> <li> <a href="https://api.example.com/prod/" rel="noopener noreferrer">https://api.example.com/prod/</a>... → forwards to prod EC2</li> </ul> <p>the <code>auto_deploy = true</code> means changes to routes/integrations are automatically deployed (no need for manual deploys).</p> <h3> Custom Domain Mapping </h3> <p>Finally we have all the integration and rules in place, we are going to move a big higher in the picture and changing DNS and SSL to our Gateway API. It is pretty simple to do:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/api-gateway/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_apigatewayv2_domain_name"</span> <span class="s2">"custom"</span> <span class="p">{</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">domain_name</span> <span class="nx">domain_name_configuration</span> <span class="p">{</span> <span class="nx">certificate_arn</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">acm_certificate_arn</span> <span class="nx">endpoint_type</span> <span class="p">=</span> <span class="s2">"REGIONAL"</span> <span class="nx">security_policy</span> <span class="p">=</span> <span class="s2">"TLS_1_2"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>We simply specify the <code>domain_name</code> for DNS and the <code>certificate_arn</code> for SSL. <code>endpoint_type = "REGIONAL"</code> means that the API Gateway is deployed regionally and is not optimized for edge like for example in cloudfront. Finally we glue it all together in the mapping:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_apigatewayv2_api_mapping"</span> <span class="s2">"mapping"</span> <span class="p">{</span> <span class="nx">api_id</span> <span class="p">=</span> <span class="nx">aws_apigatewayv2_api</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="nx">aws_apigatewayv2_domain_name</span><span class="p">.</span><span class="nx">custom</span><span class="p">.</span><span class="nx">id</span> <span class="nx">stage</span> <span class="p">=</span> <span class="nx">aws_apigatewayv2_stage</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>Together, these ensure our API is available at <a href="https://api.example.com" rel="noopener noreferrer">https://api.example.com</a> instead of the ugly default abcdef123.execute-api.us-east-1.amazonaws.com.</p> <h3> Adding Route53 alias record </h3> <p>Finally, we want to make our DNS entry point at the custom domain in API Gateway:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/dns/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"www"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">main_zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">domain_name</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">alias</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">target_domain_name</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">hosted_zone_id</span> <span class="nx">evaluate_target_health</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>With new accepted variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/dns/variables.tf</span> <span class="nx">variable</span> <span class="s2">"target_domain_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"hosted_zone_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>And we will pass them from the outputs of API Gateway module. So first, let's define the outputs in <code>modules/api-gateway/outputs.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/api-gateway/outputs.tf</span> <span class="nx">output</span> <span class="s2">"aws_apigatewayv2_domain_name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_apigatewayv2_domain_name</span><span class="p">.</span><span class="nx">custom</span><span class="p">.</span><span class="nx">domain_name_configuration</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">target_domain_name</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The custom domain name for the API Gateway"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"aws_apigatewayv2_hosted_zone_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_apigatewayv2_domain_name</span><span class="p">.</span><span class="nx">custom</span><span class="p">.</span><span class="nx">domain_name_configuration</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">hosted_zone_id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The hosted zone ID for the API Gateway custom domain"</span> <span class="p">}</span> </code></pre> </div> <h2> Using it as a module </h2> <p>Now that we have defined all the moving pieces of the API Gateway module, we can use it in our terraform as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">module</span> <span class="s2">"api_gateway"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/api-gateway"</span> <span class="nx">api_name</span> <span class="p">=</span> <span class="s2">"my-api"</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="s2">"myapp.example.com"</span> <span class="nx">acm_certificate_arn</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ssl_acm</span><span class="p">.</span><span class="nx">aws_acm_certificate_arn</span> <span class="nx">ec2_public_url</span> <span class="p">=</span> <span class="s2">"http://${module.ec2.public_ip}:80"</span> <span class="p">}</span> </code></pre> </div> <h2> Updating Ec-2 firewall rules </h2> <p>We have added an API Gateway and told it that our ec2 is ready to listen on port 80. Next we need to update the firewall security groups of our ec-2 instance so that the port 80 is actually opened. Once it is opened, we will harden the rule by saying that it should accept connections only from our API Gateway. Let's update the Ec-2 security group. From <a href="https://www.iac-toolbox.com/blog/02-deploying-ec2-instance-with-terraform" rel="noopener noreferrer">Deploying EC2 instance on AWS with Terraform</a>, our security group originally looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"0.0.0.0/0"</span> <span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>We will update it with port 80:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"SSH port for API"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_ip_ranges</span><span class="p">.</span><span class="nx">apigw</span><span class="p">.</span><span class="nx">cidr_blocks</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>And the <code>cird_blocks</code> are the IP ranges that are allowed for that security group, in our case inbound traffic for port 80. The <code>data.aws_ip_ranges.apigw.cidr_blocks</code> come from the official AWS public IP ranges JSON. It will not work just like that, we need to make terraform fetch this JSON by writing it down:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"aws_ip_ranges"</span> <span class="s2">"apigw"</span> <span class="p">{</span> <span class="nx">services</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"API_GATEWAY"</span><span class="p">]</span> <span class="c1"># Only API Gateway IPs</span> <span class="nx">regions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"us-east-1"</span><span class="p">]</span> <span class="c1"># Your API Gateway region</span> <span class="p">}</span> </code></pre> </div> <p>We can also output them to see what IPs are those:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"apigw_ips"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_ip_ranges</span><span class="p">.</span><span class="nx">apigw</span><span class="p">.</span><span class="nx">cidr_blocks</span> <span class="p">}</span> </code></pre> </div> <h2> Testing </h2> <p>Now that we have all the code in place, I will let you glue the modules together. Once the code is ready, run <code>terraform init</code> and <code>terraform apply --auto-approve</code> and see that your infra is working now with the API Gateway!</p> <h2> Destroying Infra </h2> <p>Remember, infra has costs. When you are done experimenting, you can destroy the infra like follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Conclusion </h2> <p>And that is a wrap! We have provisioned the setup that achieves the following:</p> <ul> <li>Users hit <a href="https://www.example.com" rel="noopener noreferrer">https://www.example.com</a> </li> <li>DNS (Route 53) resolves to API Gateway</li> <li>API Gateway terminates SSL (using ACM cert)</li> <li>Routes any request → EC2 backend (via public IP).</li> </ul> <p>This architecture is great for simple APIs that need SSL offloading without the overhead of load balancers or CDNs. API Gateway handles scaling, SSL, and routing, while EC2 runs your application logic. Continue experimenting and building and follow into the next article.</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-ssl-certificate-109a">Provision SSL Certificate</a> | <strong>Next:</strong> <a href="//./08-application-load-balancer-ssl">Application Load Balancer SSL</a></p> api aws devops terraform Viktor Vasylkovskyi Wed, 06 May 2026 15:54:02 +0000 https://forem.com/vvasylkovskyi/provisioning-ssl-certificate-109a https://forem.com/vvasylkovskyi/provisioning-ssl-certificate-109a <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-ssl-termination-for-web-application-2ll8">SSL Termination Overview</a></p> <p>To enable SSL termination in AWS, you first need to provision an SSL certificate using AWS Certificate Manager (ACM). This certificate will be used by services like API Gateway or Application Load Balancer to encrypt traffic between your users and your application.</p> <p>In this guide, we will walk through the steps to request and validate an SSL certificate using Terraform. Then the certificate can be provisioned as a terraform module, and we will show how to use it in the next guides:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyg8dns502p06sri57azm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyg8dns502p06sri57azm.png" alt=" " width="800" height="269"></a></p> <h2> Github Repository </h2> <p>This guide full code is available in <a href="https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v4-acm-ssl" rel="noopener noreferrer">https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v4-acm-ssl</a>. Feel free to clone it and follow along!</p> <h2> Provision SSL Certificate </h2> <p>let's create an ACM resource. We will do that in new module: <code>modules/acm</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/acm/main.tf</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"us_east_1"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">shared_credentials_files</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"./.aws-credentials"</span><span class="p">]</span> <span class="nx">profile</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_acm_certificate"</span> <span class="s2">"cert"</span> <span class="p">{</span> <span class="k">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">us_east_1</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="s2">"your-domain.com"</span> <span class="nx">validation_method</span> <span class="p">=</span> <span class="s2">"DNS"</span> <span class="nx">subject_alternative_names</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"www.your-domain.com"</span><span class="p">,</span> <span class="s2">"your-domain.com"</span><span class="p">]</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Note, that ACM certificates for API Gateway must be created in <code>us-east-1</code> region, regardless of where your API Gateway is located. Hence, we define a separate AWS provider with alias <code>us_east_1</code> to handle this.</p> <p>The code above requests an SSL/TLS certificate from AWS Certificate Manager for your domain. We choose DNS validation (simplest in Terraform if using Route 53).Note that we are adding <code>lifecycle.create_before_destroy</code>. This is because in case you change something on this resource, since Application Load Balancer will be using the certificate, this directive allows to duplicate certificate, and replace old one before destroying it thus allowing application load balancer to switch certificates without issues.</p> <h3> DNS Validation via Route 53 </h3> <p>Next, we need to create the required DNS record to prove domain ownership to ACM.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/acm/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"cert_validation"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">dvo</span> <span class="nx">in</span> <span class="nx">aws_acm_certificate</span><span class="p">.</span><span class="nx">cert</span><span class="p">.</span><span class="nx">domain_validation_options</span> <span class="err">:</span> <span class="nx">dvo</span><span class="p">.</span><span class="nx">domain_name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">dvo</span><span class="p">.</span><span class="nx">resource_record_name</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">dvo</span><span class="p">.</span><span class="nx">resource_record_type</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">dvo</span><span class="p">.</span><span class="nx">resource_record_value</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">type</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">aws_route53_zone_id</span> <span class="nx">records</span> <span class="p">=</span> <span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">value</span><span class="p">]</span> <span class="nx">ttl</span> <span class="p">=</span> <span class="mi">60</span> <span class="p">}</span> </code></pre> </div> <p>In the code above, the <code>for_each</code> turns the set into a map indexed by <code>domain_name</code> (which is unique). We are dynamically generating multiple DNS records (1 per domain to validate) using <code>for_each</code>. <code>aws_acm_certificate.cert.domain_validation_options</code> is a list of instructions from AWS on how to validate your domain. We loop over each <code>dvo</code> (domain validation option), and create a map like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="p">{</span> <span class="s2">"www.your-domain.com"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"_xyz.www.your-domain.com."</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"CNAME"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"_abc.acm-validations.aws."</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This is how AWS verifies domain ownership: you create a DNS record with those values. The<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="nx">records</span> <span class="err">=</span> <span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">value</span><span class="p">]</span> <span class="nx">ttl</span> <span class="err">=</span> <span class="mi">60</span> </code></pre> </div> <ul> <li> <code>records</code>: The actual value to put in the DNS record (like _abc.acm-validations.aws.)</li> <li> <code>ttl</code>: Time-to-live (how long DNS resolvers cache it), set to 60 seconds for fast propagation.</li> </ul> <p>Next, we are adding a resource that tells AWS to wait for validation to complete before proceeding. It depends on the DNS record being correct.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/acm/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_acm_certificate_validation"</span> <span class="s2">"cert"</span> <span class="p">{</span> <span class="k">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">us_east_1</span> <span class="nx">certificate_arn</span> <span class="p">=</span> <span class="nx">aws_acm_certificate</span><span class="p">.</span><span class="nx">cert</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">validation_record_fqdns</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">for</span> <span class="nx">record</span> <span class="nx">in</span> <span class="nx">aws_route53_record</span><span class="p">.</span><span class="nx">cert_validation</span> <span class="err">:</span> <span class="nx">record</span><span class="p">.</span><span class="nx">fqdn</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Let's also output the certificate ARN for later use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/acm/outputs.tf</span> <span class="k">output</span> <span class="s2">"aws_acm_certificate_arn"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_acm_certificate</span><span class="p">.</span><span class="nx">cert</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"aws_acm_certificate_cert"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_acm_certificate</span><span class="p">.</span><span class="nx">cert</span> <span class="p">}</span> </code></pre> </div> <p>Add this module to your main terraform file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># main.tf</span> <span class="k">module</span> <span class="s2">"ssl_acm"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/acm"</span> <span class="nx">aws_route53_zone_id</span> <span class="p">=</span> <span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="p">}</span> </code></pre> </div> <p>And now we have ACM certificate ready to be used in API Gateway. Let's ensure everything is correct by running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init terraform apply <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Destroying Infra </h2> <p>Remember, infra has costs. When you are done experimenting, you can destroy the infra like follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Next Steps </h2> <p>With the SSL certificate provisioned, you can now integrate it with your AWS services. In the next guides, we will demonstrate how to use this certificate with API Gateway and Application Load Balancer for SSL termination. Feel free to skip to the relevant section based on your architecture needs.</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-ssl-termination-for-web-application-2ll8">SSL Termination Overview</a> | <strong>Next:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-api-gateway-and-connecting-it-to-ec-2-instance-using-terraform-48ib">API Gateway SSL Termination</a></p> aws security terraform tutorial Viktor Vasylkovskyi Wed, 06 May 2026 15:53:30 +0000 https://forem.com/vvasylkovskyi/provisioning-ssl-termination-for-web-application-2ll8 https://forem.com/vvasylkovskyi/provisioning-ssl-termination-for-web-application-2ll8 <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-ec2-instances-with-terraform-modules-best-practices-guide-e04">Terraform Modules Best Practices</a></p> <p>SSL termination is one of those steps that feels small but shapes your entire architecture. It is a common pattern to offload the SSL termination off your application, and instead make other cloud resource act as an SSL proxy. There are several ways to do it in AWS, and each comes with its own trade-offs. The “right” choice depends less on preference and more on the kind of traffic you're serving. In cloud, three resources can act as SSL termination: Load Balancer, a Content Delivery Network Origin, or an API Gateway.</p> <p>If you're building a pure REST API, <a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html" rel="noopener noreferrer">AWS API Gateway</a> is usually the simplest path. It handles SSL for you, integrates cleanly with Lambda or EC2, and keeps the moving parts to a minimum. The catch? It isn't great for serving frontend assets - you'll quickly notice limitations around caching and file delivery.</p> <p>Then there's the <a href="https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html" rel="noopener noreferrer">Application Load Balancer</a>. It works for both APIs and web apps, gives you full control, and is the most “production-ready” option. But it comes with overhead: more infrastructure, higher cost, and the expectation that you’ll eventually run multiple EC2 instances across multiple availability zones. ALB shines when your system is growing, but it's definitely not the lightest way to get started.</p> <p>This section walks through all three approaches. We will start with API Gateway for pure APIs and finally ALB for production-grade systems. By the end, you'll have a clear picture of how SSL termination fits into different architectures and which option makes sense for your next project.</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-ec2-instances-with-terraform-modules-best-practices-guide-e04">Terraform Modules Best Practices</a> | <strong>Next:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-ssl-certificate-109a">Provision SSL Certificate</a></p> architecture aws networking security Viktor Vasylkovskyi Wed, 06 May 2026 15:52:59 +0000 https://forem.com/vvasylkovskyi/provisioning-ec2-instances-with-terraform-modules-best-practices-guide-e04 https://forem.com/vvasylkovskyi/provisioning-ec2-instances-with-terraform-modules-best-practices-guide-e04 <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provision-dns-records-with-terraform-2oja">Provision DNS Records with Terraform</a></p> <p>In this notes, we are going to learn how to organise terraform code using best practices like terraform modules. For the sake of simplicity we will reduce the code to the very basic example. An interesting side-effect is by modularizing our code, we can easily create multiple environments like dev and prod, which we will see later.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fakjgwvdgrkrpxq9ij739.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fakjgwvdgrkrpxq9ij739.png" alt=" " width="800" height="321"></a></p> <h2> Github Repository </h2> <p>This guide full code is available in <a href="https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v3-terraform-modules" rel="noopener noreferrer">https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v3-terraform-modules</a>. Feel free to clone it and follow along!</p> <h2> Creating Terraform Modules </h2> <p>Modularizing Terraform means splitting our infrastructure code into reusable, logical components called modules. This improves maintainability, reusability, and clarity, especially as our infrastructure grows.</p> <p>The best practices are separation of concerns, using inputs and outputs for modules. There are <code>Root Module</code> and <code>Child Modules</code>, where root module is the directory where the terraform commands are meant to run, and child modules are the ones that contain reusable code.</p> <p>We will create 3 modules: <code>network</code>, <code>ec2</code> and <code>dns</code>.</p> <p>The overall folder structure should look like follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>. ├── modules/ │ ├── network │ │ ├── main.tf │ │ ├── variables.tf │ │ └── outputs.tf │ ├── ec2 │ │ ├── main.tf │ │ ├── variables.tf │ │ └── outputs.tf │ ├── dns │ │ ├── main.tf │ │ ├── variables.tf │ │ └── outputs.tf ├── main.tf ├── variables.tf ├── outputs.tf └── terraform.tfvars </code></pre> </div> <h3> Module: network </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_cidr</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">availability_zone</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_internet_gateway"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"subnet-association"</span> <span class="p">{</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p><strong>Variables:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># variables.tf</span> <span class="nx">variable</span> <span class="s2">"vpc_cidr"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_cidr"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"availability_zone"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p><strong>Outputs:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"subnet_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h3> Module: ec2 </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Security Group for EC2 Instance"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_key_pair"</span> <span class="s2">"ssh-key"</span> <span class="p">{</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="s2">"ssh-key"</span> <span class="nx">public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">availability_zone</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">associate_public_ip_address</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_id</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="nx">aws_key_pair</span><span class="p">.</span><span class="nx">ssh-key</span><span class="p">.</span><span class="nx">key_name</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_eip"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">instance</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span> <span class="nx">domain</span> <span class="p">=</span> <span class="s2">"vpc"</span> <span class="p">}</span> </code></pre> </div> <p>We will also add security group next to our EC2 module to allow SSH and HTTP access.</p> <p><strong>Variables:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># variables.tf</span> <span class="nx">variable</span> <span class="s2">"instance_ami"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"availability_zone"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"ssh_public_key"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p><strong>Outputs:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"instance_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"public_ip"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">public_ip</span> <span class="p">}</span> </code></pre> </div> <h3> Using modules - route module </h3> <p>The root modules will reference the children modules and assign the variables.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">shared_credentials_files</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"./.aws-credentials"</span><span class="p">]</span> <span class="nx">profile</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/network"</span> <span class="nx">vpc_cidr</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">subnet_cidr</span> <span class="p">=</span> <span class="s2">"10.0.1.0/24"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">availability_zone</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"security_group"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/security_group"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"ec2"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/ec2"</span> <span class="nx">instance_ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">availability_zone</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">subnet_id</span> <span class="nx">ssh_public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="p">}</span> </code></pre> </div> <p>And the outputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># outputs.tf</span> <span class="nx">output</span> <span class="s2">"ec2_ip_address"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">public_ip</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Elastic IP address allocated to the EC2 instance."</span> <span class="p">}</span> </code></pre> </div> <h2> Install modules and apply </h2> <p>The modules have to be installed, so we need to run <code>terraform init</code> first. After that run <code>terraform apply --auto-approve</code> to see that everything works ok. You should see something like this on terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> Apply <span class="nb">complete</span><span class="o">!</span> Resources: 3 added, 0 changed, 0 destroyed. Outputs: ec2_ip_address <span class="o">=</span> <span class="s2">"your-ip"</span> </code></pre> </div> <h2> Adding DNS module pointing to our instance and a simple HTTP server </h2> <p>Now to make things interesting, we will create a simple web server and two environments - dev and prod. A common requirement for web applications.</p> <p>To accomplish that, we need to create:</p> <ul> <li>DNS module</li> <li>Update EC-2 Module to launch HTTP server</li> <li>Make dev and prod environments</li> </ul> <h3> DNS Module </h3> <p>Similarly, we will create the <code>module</code> called <code>dns</code> with 3 files in it - main, variables, outputs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"www"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">main_zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">domain_name</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">ttl</span> <span class="p">=</span> <span class="mi">60</span> <span class="nx">records</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">dns_record</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># variables.tf</span> <span class="nx">variable</span> <span class="s2">"main_zone_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"domain_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"dns_record"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># outputs.tf</span> <span class="nx">output</span> <span class="s2">"dns_record"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_route53_record</span><span class="p">.</span><span class="nx">www</span><span class="p">.</span><span class="nx">fqdn</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The FQDN of the www Route53 record"</span> <span class="p">}</span> </code></pre> </div> <p>We will leave <code>outputs.tf</code> black for now.</p> <p>Now in our <code>route53.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># route53.tf</span> <span class="nx">resource</span> <span class="s2">"aws_route53_zone"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"viktorvasylkovskyi.com"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"aws_route53_record"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/dns"</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">domain_name</span> <span class="nx">main_zone_id</span> <span class="p">=</span> <span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">dns_record</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">public_ip</span> <span class="p">}</span> </code></pre> </div> <p>Note, the <code>domain_name</code> is your domain name that you should own. Declare this variable in your <code>variables.tf</code> in the root module, and define it in <code>terraform.tfvars</code>.</p> <h3> Updating our EC-2 to start HTTP server </h3> <p>Now, let's update our <code>ec2</code> module in <code>main.tf</code>. We are going to add a <code>user_data</code> that will instantiate a simple http server on the startup of the machine. Add the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ec2.main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="p">...</span> <span class="nx">your</span> <span class="nx">instance</span> <span class="nx">previous</span> <span class="nx">code</span> <span class="p">...</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> #!/bin/bash sudo yum update -y || sudo apt-get update -y sudo yum install -y python3 || sudo apt-get install -y python3 echo "&lt;html&gt;&lt;body&gt;&lt;h1&gt;Hello from Terraform EC2!&lt;/h1&gt;&lt;/body&gt;&lt;/html&gt;" &gt; index.html nohup python3 -m http.server 80 &amp; </span><span class="no"> EOF </span><span class="p">}</span> </code></pre> </div> <h3> Adding outputs </h3> <p>Add outputs at the root module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># outputs.tf</span> <span class="nx">output</span> <span class="s2">"ec2_domain_name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">aws_route53_record</span><span class="p">.</span><span class="nx">dns_record</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Elastic IP address allocated to the EC2 instance."</span> <span class="p">}</span> </code></pre> </div> <h3> Apply changes </h3> <p>Run <code>terraform init</code> and <code>terraform apply --auto-approve</code> and see your server working. You should be able to open browser at <code>var.domain_name</code>.</p> <h2> Destroying Infra </h2> <p>Remember, infra has costs. When you are done experimenting, you can destroy the infra like follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Conclusion </h2> <p>By modularizing our Terraform code, we make our infrastructure more organized, reusable, and easier to maintain. This approach not only saves time as our projects grow, but also helps us avoid duplication and mistakes. With modules, scaling and evolving your infrastructure becomes a much smoother process.<br> Next we are going to focus on security, and more importantly, the SSL termination for our web applications.</p> <h2> Appendix </h2> <p>(Note, the following is optional. The following guides assume you do not follow this in the code, for simplicity sake.)</p> <h2> Adding dev and production environments </h2> <p>The great thing about modules is that we can reuse them. Let's reuse them in two environments: prod and dev. We need to refactor our code such that we have new folder structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>environments/ dev/ main.tf terraform.tfvars variables.tf prod/ main.tf terraform.tfvars variables.tf modules/ </code></pre> </div> <p>Note, since our environments will be pretty much the same, the <code>terraform.tfvars</code> are going to drive the change of the environments.</p> <p>Example of the <code>terraform.tfvars</code> in <code>dev</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">availability_zone</span> <span class="err">=</span> <span class="s2">"us-east-1a"</span> <span class="nx">instance_ami</span> <span class="err">=</span> <span class="s2">"ami-xxxx"</span> <span class="nx">instance_type</span> <span class="err">=</span> <span class="s2">"t2.micro"</span> <span class="nx">domain_name</span> <span class="err">=</span> <span class="s2">"dev.example.com"</span> </code></pre> </div> <p>and in <code>prod</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">availability_zone</span> <span class="err">=</span> <span class="s2">"us-east-1b"</span> <span class="nx">instance_ami</span> <span class="err">=</span> <span class="s2">"ami-yyyy"</span> <span class="nx">instance_type</span> <span class="err">=</span> <span class="s2">"t3.medium"</span> <span class="nx">domain_name</span> <span class="err">=</span> <span class="s2">"prod.example.com"</span> </code></pre> </div> <p>Now, you can apply.</p> <h2> Applying multiple environments </h2> <p>You can apply both environments using <code>terraform apply</code>. Just jump into the folder and run apply.</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provision-dns-records-with-terraform-2oja">Provision DNS Records with Terraform</a> | <strong>Next:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-ssl-termination-for-web-application-2ll8">SSL Termination Overview</a></p> terraform aws learning infrastructure Viktor Vasylkovskyi Wed, 06 May 2026 15:52:00 +0000 https://forem.com/vvasylkovskyi/provision-dns-records-with-terraform-2oja https://forem.com/vvasylkovskyi/provision-dns-records-with-terraform-2oja <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/deploying-ec2-instance-on-aws-with-terraform-2h00">Deploying EC2 instance with Terraform</a></p> <p>In the previous notes we talked about how to setup the ec2 instance inside of the VPC on the subnet. We managed to access to this instance via SSH by providing ssh key in security groups. If you haven't read about it, fear not, you can still go back and read it: <a href="https://dev.to/vvasylkovskyi/deploying-ec2-instance-on-aws-with-terraform-2h00">Deploying EC2 instance on AWS with Terraform</a>.</p> <p>All is fine and dandy until now, but when we want to run a real application, we want to expose it on HTTP (and later HTTPS). In this note, I will walk you through how to do it using terraform. In practice, we will spawn a simple http server on our ec2 instance, and provide <code>Route53</code> DNS records (diagram below).</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsnh4deqb203uvcim0it0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsnh4deqb203uvcim0it0.png" alt=" " width="800" height="520"></a></p> <p>When adding DNS, we will be able to access our application not via IP address like<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>http://52.206.93.210/ </code></pre> </div> <p>but via actual domain that you own like<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>http://www.your-domain.com </code></pre> </div> <p>Let's dive in!</p> <h2> Github Repository </h2> <p>This guide full code is available in <a href="https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v2-ec2-http" rel="noopener noreferrer">https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v2-ec2-http</a>. Feel free to clone it and follow along!</p> <h2> Spawn HTTP server on ec2 instance </h2> <p>in your <code>ec2.tf</code> add the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="p">...</span> <span class="nx">your</span> <span class="nx">instance</span> <span class="nx">previous</span> <span class="nx">code</span> <span class="p">...</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> #!/bin/bash sudo yum update -y || sudo apt-get update -y sudo yum install -y python3 || sudo apt-get install -y python3 echo "&lt;html&gt;&lt;body&gt;&lt;h1&gt;Hello from Terraform EC2!&lt;/h1&gt;&lt;/body&gt;&lt;/html&gt;" &gt; index.html nohup python3 -m http.server 80 &amp; </span><span class="no"> EOF </span><span class="p">}</span> </code></pre> </div> <p>In <code>outputs.tf</code> ensure you have the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">output</span> <span class="s2">"ec2_ip_address"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">public_ip</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Elastic IP address allocated to the EC2 instance."</span> <span class="p">}</span> </code></pre> </div> <p>The <code>user_data</code> is a cool utility in aws that allows us to bake in ec2 some bootstrap code. In this example we start a server using python that is a simple <code>&lt;html&gt;&lt;body&gt;&lt;h1&gt;Hello from Terraform EC2!&lt;/h1&gt;&lt;/body&gt;&lt;/html&gt;</code> static page.</p> <h3> Add HTTP rule to security group </h3> <p>In <code>security-groups.tf</code> ensure that you have the following rule to allow HTTP access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="c1"># ... other rules ...</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"0.0.0.0/0"</span> <span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="c1"># ... other rules ...</span> <span class="p">}</span> </code></pre> </div> <h3> Testing the setup </h3> <p>Run <code>terraform apply --auto-approve</code>.</p> <p>See the output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ec2_ip_address <span class="o">=</span> <span class="s2">"3.214.79.152"</span> <span class="c"># example output</span> </code></pre> </div> <p>Navigate to <code>ec2_ip_address</code> and see website opening</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0beiomgj5gr68etjaq88.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0beiomgj5gr68etjaq88.png" alt=" " width="800" height="153"></a></p> <h2> Adding Route53 records </h2> <p>Next step, to create DNS records we actually have to create a hosted zone first.</p> <h2> Prerequisite: Domain name </h2> <p>Before we proceed, ensure that you have a domain name registered. You can use any domain registrar of your choice (e.g., GoDaddy, Namecheap, Cloudflare, etc.). For this example, we'll use <code>your-domain.com</code>. Replace it with your actual domain name in the Terraform code.</p> <p>Run <code>terraform apply --auto-approve</code> and navigate to <a href="https://us-east-1.console.aws.amazon.com/route53/v2/hostedzones" rel="noopener noreferrer">Route 53 Hosted Zones</a> and confirm that your hosted zone was created.</p> <h3> Adding Route53 records </h3> <p>Lets begin our <code>route53.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># route53.tf</span> <span class="k">resource</span> <span class="s2">"aws_route53_zone"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"your-domain.com"</span> <span class="p">}</span> </code></pre> </div> <h3> Updating DNS Registrar </h3> <p>At this point, there is a manual step where we actually have to go to the web and click our way through. We need to ensure that our DNS registrar has namespaces of our hosted zone from route 53. You may be familiar with the process of updating NS records in your registrar.</p> <p>You may have purchased your domain from a registrar providers, in my case it is happens to be AWS. But there are many (e.g., GoDaddy, Namecheap, Cloudflare, etc.). So I leave you figure out how to find your DNS management in the registrar. Once you get there, next step is update the <code>NS</code> records to the ones that you have just created with the terraform in AWS.</p> <h3> Update DNS NameSpace records in your DNS registrar </h3> <p>The new Route53 zone that we created using terraform above can be found in the <a href="https://us-east-1.console.aws.amazon.com/route53/v2/hostedzones#" rel="noopener noreferrer">Hosted Zones</a>. Open the zone and find the <code>NS</code> records.</p> <p>Next step is to copy those <code>NS</code> records and add them one by one into DNS registrar of your choice (e.g. Cloudflare). These <code>NS</code> records essentially are addresses that will know how to find that DNS records of Route53.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9tw1qtlpkcfv5bpyo1gb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9tw1qtlpkcfv5bpyo1gb.png" alt=" " width="800" height="176"></a></p> <p>The general flow is:</p> <ol> <li>The user navigates to <code>www.your-domain.com</code> </li> <li>The <code>your-domain.com</code> registrar checks its <code>NS</code> records to find out where to look for DNS records.</li> <li>The registrar finds the <code>NS</code> records that point to Route53.</li> <li>The registrar queries Route53 for the DNS records of <code>www.your-domain.com</code>.</li> <li>Route53 responds with the IP address associated with <code>www.your-domain.com</code>.</li> </ol> <p>Therefore, it is a crucial step to update the <code>NS</code> records in your DNS registrar to point to the Route53 (AWS) name servers.</p> <h3> Add new DNS record </h3> <p>Once this is done we can proceed and add new DNS record using terraform:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># route53.tf</span> <span class="k">resource</span> <span class="s2">"aws_route53_zone"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"your-domain.com"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"www"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"www.your-domain.com"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">ttl</span> <span class="p">=</span> <span class="mi">60</span> <span class="nx">records</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_eip</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">public_ip</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Above we are creating a DNS record of type <code>A</code> which is a type that assigns DNS name to Ipv4 IP address. Note that in this example we are using <code>EIP</code> which are fixed IP, to avoid the issues with dynamic IP addresses. This way we make sure that even if the EC2 instance is restarted, and receives new private IP, we still keep same fixed public IP. Lets apply and test <code>terraform apply --auto-approve</code>.</p> <p><strong>Note</strong>, check if the name servers got applied. Sometimes it takes a while for your changes to take effect. You can check by running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dig +short NS your-domain.com </code></pre> </div> <p>In the output, you should see the name servers that you have added in your DNS registrar. If they are not correct, wait a bit longer, you should receive the following error in browser <code>DNS_PROBE_FINISHED_NXDOMAIN</code> which indicates that the DNS records are not yet propagated.</p> <p>Once they are correct, your DNS should be applied. Visit <code>http://www.your-domain.com</code> and see it showing our demo app!</p> <h2> Destroying Infra </h2> <p>Remember, infra has costs. When you are done experimenting, you can destroy the infra like follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Conclusion </h2> <p>And that is a wrap! Now we have the DNS records pointing to our Ec2 instance. Next, let's explore about how to add SSL to this domain and enable HTTPS. But before that, let's organize our code a little. Continue reading!</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/deploying-ec2-instance-on-aws-with-terraform-2h00">Deploying EC2 instance with Terraform</a> | <strong>Next:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-ec2-instances-with-terraform-modules-best-practices-guide-e04">Terraform Modules Best Practices</a></p> aws devops networking terraform Viktor Vasylkovskyi Wed, 06 May 2026 15:50:35 +0000 https://forem.com/vvasylkovskyi/deploying-ec2-instance-on-aws-with-terraform-2h00 https://forem.com/vvasylkovskyi/deploying-ec2-instance-on-aws-with-terraform-2h00 <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/infrastructure-as-code-toolbox-a-hands-on-terraform-journey-through-aws-25m9">Infrastructure as Code Journey</a></p> <p>Provisioning a single EC2 instance might sound simple, but it already involves several essential AWS building blocks. Terraform makes those pieces clear, consistent, and repeatable. In this guide, we'll set up the networking, security, and configuration needed to launch an EC2 server entirely through code - building a solid foundation for everything that comes next.</p> <p>By the end of this guide, you will have a working EC2 instance on AWS that you can SSH into. Looking like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5kqtoryem4kgqxwk0p2e.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5kqtoryem4kgqxwk0p2e.png" alt=" " width="625" height="492"></a></p> <h2> Github Repository </h2> <p>This guide full code is available in <a href="https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v1-ec2-ssh" rel="noopener noreferrer">https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v1-ec2-ssh</a>. Feel free to clone it and follow along!</p> <h2> Recommended VS Code Extensions </h2> <p>Before writing any Terraform code, install these two extensions to get syntax highlighting, auto-completion, and validation directly in your editor:</p> <ul> <li> <a href="https://marketplace.visualstudio.com/items?itemName=HashiCorp.HCL" rel="noopener noreferrer">HashiCorp HCL</a> — Syntax highlighting and language support for HashiCorp Configuration Language (HCL)</li> <li> <a href="https://marketplace.visualstudio.com/items?itemName=HashiCorp.terraform" rel="noopener noreferrer">HashiCorp Terraform</a> — Full Terraform language server with auto-complete, hover documentation, and validation</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy0gwp0a1rnuqnojv49ss.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy0gwp0a1rnuqnojv49ss.png" alt=" " width="738" height="183"></a></p> <h2> Setting up AWS to obtain keys and AWS CLI </h2> <p>In order to provision infrastructure to AWS, we first need an access key. The following step by step describes how to setup AWS account using the console - <a href="https://console.aws.amazon.com/" rel="noopener noreferrer">https://console.aws.amazon.com/</a> to obtain the AWS access keys.</p> <ol> <li>Create a new <code>User</code> in IAM</li> <li>Create a new policy <code>AdministratorAccess</code> </li> <li>Create a new User Group where the <code>User</code> has the <code>AdministratorAccess</code> </li> <li>Create a API token/Access key <ol> <li>The Access key ID is <code>AWS_ACCESS_KEY_ID</code> </li> <li>The Access key is <code>AWS_SECRET_ACCESS_KEY</code> </li> </ol> </li> <li>Save the <code>AWS_SECRET_ACCESS_KEY</code> secure as it will never be shown again. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">AWS_ACCESS_KEY_ID</span><span class="o">=</span> <span class="nb">export </span><span class="nv">AWS_SECRET_ACCESS_KEY</span><span class="o">=</span> </code></pre> </div> <p>Now the AWS Api keys are ready, next we are going to start provisioning our infra using terraform.</p> <h2> Provisioning Infra with Terraform </h2> <p>Before diving in, big kudos to Harisson Cramer who published <a href="https://harrisoncramer.me/setting-up-docker-with-terraform-and-ec2/" rel="noopener noreferrer">Using Terraform with EC2 Servers and Docker</a>, which greatly inspired these notes. We are mostly building on top of what was described there.</p> <p>You will notice that to provision a simple ec2 instance, which is probably the most basic building block of cloud infra, we need to create alot of infrastructure. Here we will provision the following infra:</p> <ol> <li>The VPC (Virtual Private Cloud) that will hold our subnet</li> <li>The subnet within that VPC that will hold our EC2</li> <li>The route table. Route table specifies the rules of the IP navigation within our VPC. We will write a very basic one and explain it shortly</li> <li>Define the Internet Gateway that will allow traffic from the internet to our VPC</li> <li>Finally the actual Ec2 instance that will sit inside our VPC in the subnet</li> <li>Some security groups (like firewall) that will define rules of how the ec2 can be accessed</li> </ol> <h3> Configure AWS provider </h3> <p>First things first, since Terraform is cloud agnostic, we will first specify that we want to work with AWS. We will create a <code>main.tf</code> and credentials file. First lets create the <code>.aws-credentials</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[terraform] aws_access_key_id=AWS_ACCESS_KEY_ID aws_secret_access_key=AWS_SECRET_ACCESS_KEY </code></pre> </div> <h4> Git ignore </h4> <p>Note, the above file should be git ignored. Add the following to your <code>.gitignore</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="err">.aws-credentials</span> </code></pre> </div> <p>This is important as you don't want to leak your AWS keys into public repos.</p> <h3> Defining the AWS Provider </h3> <p>Now, we will define the AWS Provider. The provider tells Terraform which cloud provider to use. Let's define the <code>main.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># main.tf</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">shared_credentials_files</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"./.aws-credentials"</span><span class="p">]</span> <span class="nx">profile</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> </code></pre> </div> <p>Note, we are loading <code>.aws-credentials</code> into <code>shared_credentials_files</code>. And <code>profile</code> is the profile name inside that file.</p> <h3> Setting variables </h3> <p>The way terraform works is that we declare the variables to use and then we will assign them and use across the terraform files. For this project, we will create <code>variables.tf</code> where we will declare some variables like size of Ec2 instance, SSH key to access it and availability zones<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># variables.tf</span> <span class="k">variable</span> <span class="s2">"availability_zone"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Availability zone of resources"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"instance_ami"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"ID of the AMI used"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Type of the instance"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"ssh_public_key"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Public SSH key for logging into EC2 instance"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>Now we need to define what are the actual values of those variables. Let's define <code>terraform.tfvars</code>. Note this file should be secret and outside of your version control:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># terraform.tfvars availability_zone = "us-east-1a" instance_ami = "ami-09e67e426f25ce0d7" instance_type = "t2.micro" ssh_public_key = "ssh-ed25519 actual-public-key email@blabla.com" </code></pre> </div> <p>You can copy the values above as is, except for <code>ssh_public_key</code> which you should replace with your actual public ssh key. The <code>instance_ami</code> is the Amazon Machine Image (AMI) id for Ubuntu 20.04 in <code>us-east-1</code> region. You can find other AMI ids from <a href="https://cloud-images.ubuntu.com/locator/ec2/" rel="noopener noreferrer">https://cloud-images.ubuntu.com/locator/ec2/</a>. We will talk about how to create the SSH key pair in the next section.</p> <h3> Creating VPC </h3> <p>now that we have some boilerplate variables in place, lets start provisioning resources. Remember, we want to create a VPC, with a subnet that will contain Ec2 instance. This Ec2 instance is inside a subnet that needs to be exposed to the network on a public IP. Lets start coding that</p> <p>Lets create a <code>network.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># network.tf</span> <span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p>We enabled domain name support so that we can add a DNS in the future, but it is not important for now. We’re also telling our VPC to have a CIDR block with suppport for 65,534 hosts, ranging between the IP addresses of 10.0.0.1 to 10.0.255.254. More on how this work in the next section.</p> <p>Now, we will define Elastic IP address (EIP), which is essentially a way to use fixed public IP address. This is important in dynamic environment where Ec2 instance can change IP address if it gets destroyed and re-created, but the IP address stays the same for external access.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># network.tf</span> <span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_eip"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">instance</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span> <span class="nx">domain</span> <span class="p">=</span> <span class="s2">"vpc"</span> <span class="p">}</span> </code></pre> </div> <p>Note that the instance to hold the fixed IP is our <code>aws_instance</code> which is our ec2 we will create next.</p> <h4> What is CIDR? </h4> <p>This section is just a theory of IP ranges, feel free to skip it if you are just interested in provisioning your infra.</p> <p>CIDR stands for Classless inter domain router, but we don't have to worry about its meaning. The CIDR is essentially a notation for representing how many of the IP address range are allowed in our subnet. Let's see an example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cidr_block <span class="o">=</span> <span class="s2">"10.0.0.0/16"</span> </code></pre> </div> <p>The above CIDR block means that there are we can specify IP ranges from <code>10.0.0.0</code> to <code>10.0.255.255</code> why is that? This becomes clear when we look at the binary representation of CIDR at <a href="https://jodies.de/" rel="noopener noreferrer">https://jodies.de/</a></p> <p>each IP address is represented by binary address. Remember, in IP, each sub-domain can range from 0 to 255, which means 256 addresses, which happens to be 2^8 (two power of 8). So in the example above, the number <code>16</code> referes to the number of fixed numbers in IP address, which are first 16 bits, so <code>10.0</code> are fixed, (first part of <code>10.0.0.0</code>), and the <code>0.0</code> are dynamic, meaning they can range all the way to <code>255.255</code>.</p> <p>An extreme example is <code>10.0.0.0/32</code> which fixes all the numbers, and this leaves us only 1 IP address.</p> <h3> Creating Subnet </h3> <p>All set for VPC, now let's create subnet in it. For creating a subnet, we have to tell to which VPC it belongs, availability zone, and its CIDR block. we use <a href="https://developer.hashicorp.com/terraform/language/functions/cidrsubnet" rel="noopener noreferrer">cidrsubnet</a> for calculating the subnet IP range. Lets write <code>subnet.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># subnet.tf</span> <span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">cidr_block</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">availability_zone</span> <span class="p">}</span> </code></pre> </div> <p>We also need to associate this route table with our subnet. The route table essentially tells the traffic rules. So if there is some traffic allowed to go into subnet, it has to be defined in route table, otherwise the subnet has no rule of incomming traffic, and so no traffic!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># subnet.tf</span> <span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">cidr_block</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">availability_zone</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"subnet-association"</span> <span class="p">{</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>What did we write above? Essentially we say that there is a route table in our VPC where whatever the incomming IP address, it will be directed into the gateway <code>aws_internet_gateway.my_app.id</code>. Note we also have to associate the route table to the subnet in the end.</p> <p>Finally, we need to define the gateway resource. It only needs to know what VPC it belongs to.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># gateway.tf</span> <span class="k">resource</span> <span class="s2">"aws_internet_gateway"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>And that is it! We have our network and ready to start creating servers in it, in this case Ec2.</p> <h3> Creating the EC2 Instance </h3> <p>So we have seen that to access our ec2 instance we will use SSH key. Let's then create a public SSH key. Note we are referring <code>var.ssh_public_key</code> from <code>terraform.tfvars</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># ec2.tf</span> <span class="k">resource</span> <span class="s2">"aws_key_pair"</span> <span class="s2">"ssh-key"</span> <span class="p">{</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="s2">"ssh-key"</span> <span class="nx">public_key</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="p">}</span> </code></pre> </div> <h4> Generating SSH key pair </h4> <p>SSH key pair can be generated on your local machine. If you are on Mac or Linux, you can run the following command in your terminal:</p> <ol> <li>Generate an SSH key pair on your Mac: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh-keygen <span class="nt">-t</span> ed25519 <span class="nt">-C</span> <span class="s2">"your_email@example.com"</span> </code></pre> </div> <p>Press Enter to accept the default file path (<code>~/.ssh/&lt;your-key-name&gt;</code>) and choose a passphrase if desired. Or just press Enter twice to skip setting a passphrase. SSH key pair is a combination of public and private keys. The public key is meant to be shared with servers you want to access, while the private key should be kept secure on your local machine.</p> <ol> <li>Copy the contents of your public key: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ~/.ssh/&lt;your-key-name&gt;.pub </code></pre> </div> <p>Remember our <code>terraform.tfvars</code>? Let's update it with actual public ssh key.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># terraform.tfvars # Replace with your actual public ssh key ssh_public_key = "ssh-ed25519 actual-public-key email@blabla.com" </code></pre> </div> <h4> Provisioning the EC2 </h4> <p>And now, the ec2 itself:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># ec2.tf</span> <span class="k">resource</span> <span class="s2">"aws_key_pair"</span> <span class="s2">"ssh-key"</span> <span class="p">{</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="s2">"ssh-key"</span> <span class="nx">public_key</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">availability_zone</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">associate_public_ip_address</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="s2">"ssh-key"</span> <span class="p">}</span> </code></pre> </div> <p>Finally our subnet is being useful, it is important for the ec2 to know where to run! As you can see the <code>subnet_id</code> is a fundamental building block of <code>aws_instance</code> resource. Another important consideration is the <code>security_groups</code> which define the rules of how one can access our instance (you can't just access it randomly, we need to protect our instance).</p> <h3> Creating the Security Group </h3> <p>The last piece of infrastructure is the security group. Let's add it. The only rule we want is to allow SSH access via port 22. This is called <code>ingress</code>, meaning the traffic allowed to enter the subnet. We will also define the <code>egress</code> rule meaning the traffic allowed to leave the subnet. In this case we will just allow to leave everything.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># security_group.tf</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"0.0.0.0/0"</span> <span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Output file </h3> <p>For convenience, to know our public IP address, we will create <code>outputs.tf</code> that will output the IP address to CLI<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># outputs.tf</span> <span class="k">output</span> <span class="s2">"ec2_ip_address"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">public_ip</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Elastic IP address allocated to the EC2 instance."</span> <span class="p">}</span> </code></pre> </div> <h2> Running Infra </h2> <p>At this point, your infra should look like follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>infrastructure ├── ec2.tf ├── gateway.tf ├── main.tf ├── network.tf ├── security_group.tf ├── subnet.tf ├── terraform.tfvars ├── variables.tf ├── .aws-credentials </code></pre> </div> <p>We can create the infra using terraform like follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init terraform plan terraform apply <span class="nt">--auto-approve</span> </code></pre> </div> <p>You should see output like<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> Apply <span class="nb">complete</span><span class="o">!</span> Resources: 9 added, 0 changed, 0 destroyed. Outputs: ec2_ip_address <span class="o">=</span> <span class="s2">"52.206.93.210"</span> <span class="c"># example IP</span> </code></pre> </div> <p>Finally, lets connect to our instance via ssh:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh ubuntu@52.206.93.210 </code></pre> </div> <h2> Destroying Infra </h2> <p>Remember, infra has costs. When you are done experimenting, you can destroy the infra like follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Conclusion </h2> <p>And that's a wrap! Next you should explore how to run a server (perhaps in the docker container). This was a rather simple example - like a hello world in infrastructure as code. Let's continue iterating and <a href="https://dev.to/vvasylkovskyi/provision-dns-records-with-terraform-2oja">Provision DNS records with Terraform</a>.</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/infrastructure-as-code-toolbox-a-hands-on-terraform-journey-through-aws-25m9">Infrastructure as Code Journey</a> | <strong>Next:</strong> <a href="https://dev.to/vvasylkovskyi/provision-dns-records-with-terraform-2oja">Provision DNS Records with Terraform</a></p> terraform infrastructure aws learning