Create a web portal on AWS through terraform also provide internet access to private subnet

Problem Statement

We have to create a web portal for our company with all the security as much as possible. So, we use Wordpress software with dedicated database server. Database should not be accessible from the outside world for security purposes. We only need to public the WordPress to clients also add an additional feature to be added that is NAT Gateway to provide the internet access to instances running in the private subnet.

So here are the steps that we need to follow :

1. Write an Infrastructure as code using terraform, which automatically create a VPC.

Bastion Host ?

AWS Bastion Host is a server whose purpose is to provide access to a private network from an external network, such as the Internet. Because of its exposure to potential attack, a bastion host must minimize the chances of penetration.

Terraform Code:

1. We are using aws as provider so we need to setup region and profile.

provider “aws” {
region = “ap-south-1”
profile = “aditya”
}

2. Create the key pair.

resource “tls_private_key” “adikey” {
algorithm = “RSA”
}
resource “aws_key_pair” “generated_key” {
key_name = “adikey”
public_key = “${tls_private_key.adikey.public_key_openssh}”

depends_on = [
tls_private_key.adikey
]
}

resource “local_file” “key-file” {
content = “${tls_private_key.adikey.private_key_pem}”
filename = “adikey.pem”

depends_on = [
tls_private_key.adikey
]
}

3. Create the VPC.

resource “aws_vpc” “myVPC” {
cidr_block = “192.168.0.0/16”
instance_tenancy = “default”
enable_dns_hostnames = “true”
tags = {
Name = “myVPC”
}
}

//Elastic IP

resource “aws_eip” “elastic_ip” {
vpc = true
}

4. Create two subnets.

// Public Subnet

resource “aws_subnet” “My_Public_Subnet” {
vpc_id = “${aws_vpc.myVPC.id}”
availability_zone = “ap-south-1a”
cidr_block = “192.168.1.0/24”
map_public_ip_on_launch = true
tags = {
Name = “My_Public_Subnet”
}
}

//Private Subnet

resource “aws_subnet” “my_subnet_private” {
vpc_id = “${aws_vpc.myVPC.id}”
availability_zone = “ap-south-1b”
cidr_block = “192.168.2.0/24”
tags = {
Name = “my_subnet_private”
}
}

5. Create the Internet Gateway

resource “aws_nat_gateway” “nat_gateway” {
allocation_id = “${aws_eip.elastic_ip.id}”
subnet_id = “${aws_subnet.My_Public_Subnet.id}”
depends_on = [ aws_nat_gateway.nat_gateway ]
}

6. Create the route table.

resource “aws_route_table” “my_route_table” {
vpc_id = “${aws_vpc.myVPC.id}”
route {
cidr_block = “0.0.0.0/0”
gateway_id = “${aws_internet_gateway.My_IG.id}”
}
tags = {
Name = “my_route_table”
}
}

resource “aws_route_table” “nat_gateway_route” {
vpc_id = “${aws_vpc.myVPC.id}”
route {
cidr_block = “0.0.0.0/0”
gateway_id = “${aws_nat_gateway.nat_gateway.id}”
}
tags = {
Name = “nat_gateway_route”
}
}

7. Connect the route table to subnet.

//Connect to public subnet

resource “aws_route_table_association” “my_route_table_association” {
subnet_id = aws_subnet.My_Public_Subnet.id
route_table_id = aws_route_table.my_route_table.id
}

// Connect to private subnet

resource “aws_route_table_association” “nat_asso” {
subnet_id = aws_subnet.my_subnet_private.id
route_table_id = aws_route_table.nat_gateway_route.id
}

8. Create Security group for instance.

//Wordpress Security Group

resource “aws_security_group” “Security_Group_Word_Press” {
name = “Security_Group_Word_Press”
description = “Allow HTTP inbound traffic”
vpc_id = “${aws_vpc.myVPC.id}”

ingress {
description = “http”
from_port = 80
to_port = 80
protocol = “tcp”
cidr_blocks = [ “0.0.0.0/0” ]
}
ingress {
description = “ssh”
from_port = 22
to_port = 22
protocol = “tcp”
cidr_blocks = [ “0.0.0.0/0” ]
}
ingress {
description = “https”
from_port = 443
to_port = 443
protocol = “tcp”
cidr_blocks = [ “0.0.0.0/0” ]
}
egress {
from_port = 0
to_port = 0
protocol = “-1”
cidr_blocks = [“0.0.0.0/0”]
}
tags = {
Name = “Security_Group_Word_Press”
}
}

//Bastion Host Security Group

resource “aws_security_group” “Security_Group_BastionHost” {
name = “Security_Group_BastionHost”
description = “ssh_bh”
vpc_id = “${aws_vpc.myVPC.id}”

ingress {
description = “ssh”
from_port = 22
to_port = 22
protocol = “tcp”
cidr_blocks = [ “0.0.0.0/0” ]
}
egress {
from_port = 0
to_port = 0
protocol = “-1”
cidr_blocks = [“0.0.0.0/0”]
}
tags = {
Name = “Security_Group_BastionHost”
}
}

//MySQL Security Group

resource “aws_security_group” “Security_Group_MySQL” {
name = “Security_Group_MySQL”
description = “mysql”
vpc_id = “${aws_vpc.myVPC.id}”

ingress {
description = “mysql”
from_port = 3306
to_port = 3306
protocol = “tcp”
cidr_blocks = [ “0.0.0.0/0” ]
}
ingress {
description = “ssh”
from_port = 22
to_port = 22
protocol = “tcp”
security_groups = [ “${aws_security_group.Security_Group_BastionHost.id}” ]
}
egress {
from_port = 0
to_port = 0
protocol = “-1”
cidr_blocks = [“0.0.0.0/0”]
}

tags = {
Name = “Security_Group_MySQL”
}
}

9. Launch instances.

//Launch Wordpress Instance

resource “aws_instance” “WP_OS” {
ami = “ami-000cbce3e1b899ebd”
instance_type = “t2.micro”
key_name = aws_key_pair.generated_key.key_name
subnet_id = “${aws_subnet.My_Public_Subnet.id}”
vpc_security_group_ids = [ “${aws_security_group.Security_Group_Word_Press.id}” ]
tags = {

Name = “WPOS”

}
}

//Launch Bastion Host Instance

resource “aws_instance” “BastionHost_OS” {
ami = “ami-0e306788ff2473ccb”
instance_type = “t2.micro”
key_name = aws_key_pair.generated_key.key_name
subnet_id = “${aws_subnet.My_Public_Subnet.id}”
vpc_security_group_ids = [ “${aws_security_group.Security_Group_BastionHost.id}” ]
tags = {

Name = “BastionHostOS”
}
}

//Launch MySQL Instance

resource “aws_instance” “MySQL_OS” {
ami = “ami-0019ac6129392a0f2”
instance_type = “t2.micro”
key_name = aws_key_pair.generated_key.key_name
subnet_id = “${aws_subnet.my_subnet_private.id}”
vpc_security_group_ids = [ “${aws_security_group.Security_Group_MySQL.id}” ]
tags = {

Name = “MySQLOS”
}
}

Now We have to first initialize a working directory with terraform init command.

terraform init

Now we will run the terraform code:

terraform apply -auto-approve

Here is the final output:

Thank You !!

I'm passionate learner diving into the concepts of computing 💻