This repository contains Terraform configurations for deploying and managing AWS infrastructure. The infrastructure is designed to be secure, scalable, and maintainable, following AWS best practices.
The infrastructure consists of the following modules:
- VPC with public and private subnets across multiple AZs
- Internet Gateway and NAT Gateway
- Network ACLs and Security Groups
- VPC Flow Logs
- DNS configuration
- PostgreSQL RDS instance
- Multi-AZ deployment
- Automated backups
- Encryption at rest
- Parameter groups
- Security groups
- Elastic File System
- Mount targets in private subnets
- Access points
- Lifecycle management
- Encryption at rest
- AWS Backup vault
- Backup plans (daily, weekly, monthly)
- Cross-region replication
- Retention policies
- Backup monitoring
- Web Application Firewall
- AWS managed rules
- Custom rules
- Rate limiting
- Geographic restrictions
- CloudWatch alarms
- SNS topics
- Dashboard
- Log groups
- Metric filters
- Terraform v1.0.0 or later
- AWS CLI v2.0.0 or later
- Git
- AWS account with appropriate permissions
- S3 bucket for Terraform state
- DynamoDB table for state locking
The infrastructure uses S3 for state storage and DynamoDB for state locking. To configure the backend:
-
Create an S3 bucket for Terraform state:
aws s3api create-bucket \ --bucket your-terraform-state-bucket \ --region your-aws-region \ --create-bucket-configuration LocationConstraint=your-aws-region
-
Create a DynamoDB table for state locking:
aws dynamodb create-table \ --table-name your-terraform-lock-table \ --attribute-definitions AttributeName=LockID,AttributeType=S \ --key-schema AttributeName=LockID,KeyType=HASH \ --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5
-
Initialize Terraform with backend configuration:
# Create backend.hcl file cat > backend.hcl << EOF bucket = "your-terraform-state-bucket" key = "path/to/state/file" region = "your-aws-region" dynamodb_table = "your-terraform-lock-table" encrypt = true EOF # Initialize Terraform terraform init -backend-config=backend.hcl
terraform/
├── backend.tf # Backend configuration
├── main.tf # Main Terraform configuration
├── variables.tf # Input variables
├── outputs.tf # Output values
├── terraform.tfvars # Variable values (gitignored)
├── backend.hcl # Backend configuration values (gitignored)
├── documents/ # Documentation
│ ├── cost-estimation.md
│ ├── security-considerations.md
│ └── setup-maintenance.md
└── modules/ # Terraform modules
├── networking/ # VPC and networking
├── database/ # RDS configuration
├── storage/ # EFS configuration
├── backup/ # Backup configuration
├── waf/ # WAF configuration
└── monitoring/ # Monitoring configuration
-
Clone the repository:
git clone https://github.com/biey-root/terraform-sample.git cd terraform-sample -
Create a new branch for your environment:
git checkout -b environment/<env-name>
-
Create a
terraform.tfvarsfile:cp terraform.tfvars.example terraform.tfvars
-
Update the variables in
terraform.tfvarswith your environment-specific values. -
Initialize Terraform:
terraform init -backend-config=backend.hcl
-
Review the planned changes:
terraform plan
-
Apply the configuration:
terraform apply
module "networking" {
source = "./modules/networking"
environment = var.environment
vpc_cidr = var.vpc_cidr
azs = var.azs
private_subnets = var.private_subnets
public_subnets = var.public_subnets
tags = var.tags
}module "database" {
source = "./modules/database"
environment = var.environment
vpc_id = module.networking.vpc_id
private_subnet_ids = module.networking.private_subnet_ids
db_instance_class = var.db_instance_class
db_name = var.db_name
db_username = var.db_username
db_password = var.db_password
backup_retention_days = var.backup_retention_days
tags = var.tags
}module "storage" {
source = "./modules/storage"
environment = var.environment
vpc_id = module.networking.vpc_id
private_subnet_ids = module.networking.private_subnet_ids
performance_mode = var.efs_performance_mode
throughput_mode = var.efs_throughput_mode
transition_to_ia = var.efs_transition_to_ia
tags = var.tags
}module "backup" {
source = "./modules/backup"
environment = var.environment
backup_retention_days = var.backup_retention_days
weekly_backup_retention = var.weekly_backup_retention_days
monthly_backup_retention = var.monthly_backup_retention_days
rds_instance_arn = module.database.rds_instance_arn
efs_file_system_arn = module.storage.efs_file_system_arn
tags = var.tags
}module "waf" {
source = "./modules/waf"
environment = var.environment
waf_web_acl_name = var.waf_web_acl_name
tags = var.tags
}module "monitoring" {
source = "./modules/monitoring"
environment = var.environment
aws_region = var.aws_region
rds_instance_id = module.database.rds_instance_id
waf_web_acl_name = module.waf.waf_web_acl_name
efs_file_system_id = module.storage.efs_file_system_id
alarm_email_endpoints = var.alarm_email_endpoints
tags = var.tags
}Detailed documentation is available in the documents directory:
-
State Management
- Use remote state storage (S3)
- Enable state locking (DynamoDB)
- Encrypt state files
- Use workspaces for multiple environments
-
Security
- Use IAM roles and policies
- Enable encryption at rest
- Implement security groups
- Use WAF for web protection
- Regular security audits
-
Cost Management
- Use appropriate instance types
- Implement auto-scaling
- Enable lifecycle policies
- Regular cost reviews
- Use reserved instances where appropriate
-
Monitoring
- Set up CloudWatch alarms
- Configure SNS notifications
- Monitor costs
- Track performance metrics
- Regular log analysis
Regular maintenance tasks are documented in Setup and Maintenance. Key tasks include:
- Daily monitoring
- Weekly security reviews
- Monthly updates
- Quarterly assessments
- Regular backup testing
For support and questions:
- DevOps Team: devops@deltacite.com
- Security Team: security@deltacite.com
- Infrastructure Team: infra@deltacite.com
This project is licensed under the MIT License - see the LICENSE file for details.