This project is part of one big project where I research how to build infrastructure in AWS for 2-tier application (and application as well, of course) :
- Terraform (this project) contains all the terraform code to deploy required infra & application code
- Simple Web GUI contains code for simple Web GUI to bridge the gap between user and Lambda functions
- Lambda functions contain code for 3 Lambda functions that replicate simple backend functions
return_ip- returns IP address of the Lambda functionfetch_go_versions- returns JSON with recent 5 Go versionscustom_auth- custom Lambda authorizer (only supports payload formatversion 1.0) that controls access to functions1 & 2when calling via API Gatewaycustom_auth_v2- custom Lambda authorizer (only supports payload formatversion 2.0) that controls access to functions1 & 2when calling via API Gateway
Simple representation of the thing that gets built with this Terraform project (application is also getting deployed as part of this Terraform project):
------------------------------------|--------------------------------
| MAIN VPC | Public space |
| | |
| | <--> Auth Lambda |
----------- --------------- | |
Client ---> | Route 53 | --> Web GUI --> | API Gateway | --> --> Lambda 1 |
------------ --------------- | |
| | --> Lambda 2 |
| | |
| | |
------------------------------------|--------------------------------
Auth(authentication) Lambda is required so we can delegate authentication to API Gateway (albeit there are other ways to do this) instead of doing it in Lambda 1/2
- Git clone this project
- Ensure you have authentication credentials set for Terraform; account should have permissions to create:
- Networks: VPC, Subnets, LB etc
- Applications: Auto Scaling groups, Launch templates etc
- API Gateway
- AWS Lambda Functions
- Ensure you have following items ready prior to launching Terraform:
- S3 buckets to host Terraform state files for
- Networking - sets up network that would be used by API Gateway, Lambdas & Web Tier; set in
network/backend-config.tfvars - Lambdas - spins up Lambda Functions that are to be called from Web Tier (via API Gateway); set in
lambdas/backend-config.tfvars - API Gateway - sets up API Gateway: linkage between Web-Tier and Lambdas + authentication; set in
api-gateway/backend-config.tfvars & api-gateway/data.tf >> data >> config >> bucket & region (same as what set in network) - Web Tier - sets up servers hosted in public subnets; accessible via Internet; set in
web-tier/backend-config.tfvars & web-tier/data.tf >> data >> config >> bucket & region (same as what set in network & api-gateway) - Route53 - links custom DNS (with HTTPS cert) to Web Tier LB; set in
route53/backend-config.tfvars & route53/data.tf >> data >> config >> bucket & region (same as what set in web-tier)
- Networking - sets up network that would be used by API Gateway, Lambdas & Web Tier; set in
terraform.tfvarsfile in each of the module:api-gateway,lambdas,network,route53,web-tierto specify:- TLS certificates (specifically ARN of those) - these would be used to ensure HTTPS connectivity is properly handled
- SSH Keys - so you would be able to log onto Web Tier servers in case you need to debug/play around with those
- There are other required variables, please refer to
variables.tfin each module
backend-config.tfvarsfile in each of the module:api-gateway,lambdas,network,route53,web-tierto specify:bucket- backend bucketkey- backend keyregion- backend region
- S3 buckets to host Terraform state files for
- Items should be deployed in the following order:
network- creates all network related resources
# Required only once or whenever backend config changes terraform init -backend-config=backend-config.tfvars terraform plan -var-file=terraform.tfvars -var-file=backend-config.tfvars terraform apply -var-file=terraform.tfvars -var-file=backend-config.tfvars -auto-approvelambdas- creates all required AWS Lambda Functions
# Required only once or whenever backend config changes terraform init -backend-config=backend-config.tfvars terraform plan -var-file=terraform.tfvars -var-file=backend-config.tfvars terraform apply -var-file=terraform.tfvars -var-file=backend-config.tfvars -auto-approveapi-gateway- creates all AppTier (backend) related resources; depends on the output ofnetwork
# Required only once or whenever backend config changes terraform init -backend-config=backend-config.tfvars terraform plan -var-file=terraform.tfvars -var-file=backend-config.tfvars terraform apply -var-file=terraform.tfvars -var-file=backend-config.tfvars -auto-approveweb-tier- creates all WebTier (front end) related resources; depends on the output ofnetwork&app-tier
# Required only once or whenever backend config changes terraform init -backend-config=backend-config.tfvars terraform plan -var-file=terraform.tfvars -var-file=backend-config.tfvars terraform apply -var-file=terraform.tfvars -var-file=backend-config.tfvars -auto-approveroute53- links custom DNS (with HTTPS cert) to Web Tier LB; depends on the output ofweb-tier
# Required only once or whenever backend config changes terraform init -backend-config=backend-config.tfvars terraform plan -var-file=terraform.tfvars -var-file=backend-config.tfvars terraform apply -var-file=terraform.tfvars -var-file=backend-config.tfvars -auto-approve
By default, AWS provider expects default AWS Config & Crendentials (this could be changed)
# from main.tf
provider "aws" {
region = "eu-west-2"
profile = "default"
}
# cat ~/.aws/config
[default]
region = eu-west-2
output = json
# cat ~/.aws/credentials
[default]
aws_access_key_id = <ACCESS_KEY_ID>
aws_secret_access_key = <SECRET_ACCESS_KEY>
- At the moment it is not nicely implemented, so the only way to remove created infrastructure, is to
1. Comment out everything in main.tf & outputs.tf(if exists) for each deployed module
2. Run `terraform apply` in the following order (effectively in the reverse)
1. Route53
2. Web Tier
3. API Gateway
4. Lambdas
5. Networks
- Tested with Terraform v1.4.0