/tf-cloud-asg

Primary LanguageHCLGNU General Public License v3.0GPL-3.0

Terraform cloud Hello World Flask Application

Application Link : URL

Terraform

AMI Creation

Used the Ubuntu 20 AMI from amazon, installed the flask application and used gunicorn to start the server, nginx as proxy and took a snapshot of the image to be used as base ami Reference

Terraform Pre-requisites

  • AWS access key id and secret access key
  • Base ami that can serve the flask application on startup (default : ami-0bf93727c047adcf1)
  • Self signed certificate or amazon issued certificate for https listener in the loadbalancer (default: "arn:aws:acm:us-west-2:306984394133:certificate/16c563ab-166e-4725-8b5f-fa775f50d9f3"). Request a public certificate
  • VPC routing is in place in case the application is deployed on private vpc (used the default vpc)
  • SNS module doesn't fully support email at the moment as a protocol, so had to manually create a topic and subscription and add it to cloudwatch action (default: arn:aws:sns:us-west-2:306984394133:cpu_asg_alarm:e21cbd79-b859-4474-bc0a-9ceff032572d)
  • Modular TF code can serve multiple environments, we will have to create separate workspaces for each environment, by creating a new folder, setup terraform cloud workspace pointing to newer directory and update to the github action yaml to act on changes or pull request to the newer directory
  • Github Actions gets triggered on each pull request and applied on merge to main branch. Connect github with TF Cloud

Workflow

  • An autoscaling group is created that is triggered based on cloudwatch cpu utilization, min number of instances is 2 and maximum is 10. Everytime the cloudwatch alarm goes off, an autoscaling policy kicks in if the current number of instance is with in limit, either it increments or decrements based on load and an email is sent out.
  • The autoscaling group sits behind a load balancer that serves traffic only in https mode, the current deployment uses a self signed certificate but you can ignore the warning and move ahead
  • Every time a push is made to main branch, terraform cloud code is applied if plan is successful. For every pull request a plan is ran on the branch to see if the changes are good. Link

Improvements

  • Image bake using packer or ansible instead of manual snapshot
  • Use an application load balancer to redirect http traffic to https traffic
  • Parameterize cpu utilization threshold (default thresholds: low load = 20, high load = 80 over a period of 120 seconds)
  • Use aws cli with local exec to create sns topic and subscription for email
  • More intelligent routing based on paths on load balancer
  • Terraform Cloud do not support run variables at the moment so cannot use tfvars at the moment, could change it to s3 bucket to overcome it.