Create a web portal with all security on AWS through terraform

Problem Statement:

We have to create a web portal for our company with all the security as much as possible. So, we use Wordpress software with dedicated database server. Database should not be accessible from the outside world for security purposes. We only need to public the WordPress to clients.

So here are the steps that we need to follow :

(a) public subnet [ Accessible for Public World! ]b) private subnet [ Restricted for Public World! ]

3. Create a public facing internet gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC.

4. Create a routing table for Internet gateway so that instance can connect to outside world, update and associate it with public subnet.

5. Launch an ec2 instance which has Wordpress setup already having the security group allowing port 80 so that our client can connect to our wordpress site. Also attach the key to instance for further login into it.

6. Launch an ec2 instance which has MYSQL setup already with security group allowing port 3306 in private subnet so that our wordpress vm can connect with the same. Also attach the key with the same.

Note: Wordpress instance has to be part of public subnet so that our client can connect our site. mysql instance has to be part of private subnet so that outside world can’t connect to it. Don’t forgot to add auto ip assign and auto dns name assignment option to be enabled.

Terraform Code:

1. We are using aws as provider so we need to setup region and profile.

provider “aws” {
region = “ap-south-1”
profile = “myadi”
}

2. Create the key pair.

resource “tls_private_key” “web_key” {
algorithm = “RSA”
}

resource “aws_key_pair” “task_key” {
key_name = “mytaskkey”
public_key = tls_private_key.web_key.public_key_openssh
}

resource “local_file” “key-file” {
content = tls_private_key.web_key.private_key_pem
filename = “task_key.pem”
}

3. Create the VPC.

resource “aws_vpc” “main” {
cidr_block = “10.10.0.0/16”
enable_dns_hostnames=true
enable_dns_support =true
tags = {
Name = “myvpc”
}
}

4. Create two subnets.

// 1-Public Subnet

resource “aws_subnet” “public-subnet” {
vpc_id = aws_vpc.main.id
cidr_block = “10.10.0.0/24”
map_public_ip_on_launch = true
availability_zone = “ap-south-1a”
tags = {
Name = “public-subnet-1a”
}
}

// 2-private subnet

resource “aws_subnet” “private-subnet” {
vpc_id = aws_vpc.main.id
cidr_block = “10.10.1.0/24”
map_public_ip_on_launch = false
availability_zone =”ap-south-1b”
tags = {
Name = “private-subnet-1b”
}
}

5. Create the Internet Gateway

resource “aws_internet_gateway” “gw” {
vpc_id = aws_vpc.main.id

tags = {
Name = “mygw1”
}
}

6. Create the route table.

resource “aws_route_table” “r” {
vpc_id = aws_vpc.main.id

route {
cidr_block = “0.0.0.0/0”
gateway_id = aws_internet_gateway.gw.id
}

tags = {
Name = “route1”
}
}

7. Connect the route table to public subnet.

resource “aws_route_table_association” “a” {
subnet_id = aws_subnet.public-subnet.id
route_table_id = aws_route_table.r.id
}

8. Create Security group for wordpress and MySql instance.

//Create wordpress security group

resource “aws_security_group” “wp-sg” {
name = “wordpress-SG”
description = “Allow HTTP and SSH inbound traffic”
vpc_id = aws_vpc.main.id

ingress {
description = “HTTP”
from_port = 80
to_port = 80
protocol = “tcp”
cidr_blocks = [“0.0.0.0/0”]
}

ingress {
description = “SSH”
from_port = 22
to_port = 22
protocol = “tcp”
cidr_blocks = [“0.0.0.0/0”]
}
egress {
from_port = 0
to_port = 0
protocol = “-1”
cidr_blocks = [“0.0.0.0/0”]
}

tags = {
Name = “wordpressSG”
}
}

//Create mysql security group

resource “aws_security_group” “db-sg” {
name = “mysql-SG”
description = “Allow webserver-SG inbound traffic”
vpc_id = aws_vpc.main.id

ingress {
description = “MYSQL”
security_groups = [aws_security_group.wp-sg.id]
from_port = 3306
to_port = 3306
protocol = “tcp”

}

egress {
from_port = 0
to_port = 0
protocol = “-1”
cidr_blocks = [“0.0.0.0/0”]
}

tags = {
Name = “mysqlSG”
}
}

9. Launch mysql and wordpress instances.

//Launch mysql instance in private subnet

resource “aws_instance” “mysql” {
ami = “ami-08706cb5f68222d09”
instance_type = “t2.micro”
associate_public_ip_address = false
subnet_id = aws_subnet.private-subnet.id
vpc_security_group_ids = [aws_security_group.db-sg.id]

tags ={
Name = “mysql”
}
}

//Launch wordpress instance

resource “aws_instance” “wordpress” {
ami = “ami-000cbce3e1b899ebd”
instance_type = “t2.micro”
associate_public_ip_address = true
subnet_id = aws_subnet.public-subnet.id
vpc_security_group_ids = [aws_security_group.wp-sg.id]
key_name = aws_key_pair.task_key.key_name

tags ={
Name = “wordpress”
}
}

Now We have to first initialize a working directory with terraform init command.

terraform init

Now we will run the terraform code:

terraform apply -auto-approve

Here is the final output:

VPC, Subnet and Internet Gateway:

Route Table:

Security Group:

EC2 Instance:

Thank You !!

I'm passionate learner diving into the concepts of computing 💻