This directory contains the Terraform configurations for setting up the complete cloud infrastructure. The infrastructure is created in a specific sequence to ensure proper dependency management and resource availability.
-
VPC (00-vpc/)
- Multi-AZ setup
- Public, Private, and DB subnets
- Internet and NAT Gateways
- Route tables and associations
-
Security Groups (10-sg/)
- Properly segmented security rules
- Least privilege access
- Service-specific ingress/egress rules
-
Bastion Host (20-bastion/)
- Secure jump server for cluster access
- Used for RDS and EKS management
- Hardened security configuration
-
RDS (30-db/)
- MySQL database in private subnet
- Multi-AZ deployment
- Automated backups
- Custom parameter groups
-
EKS (40-eks/)
- Managed Kubernetes cluster
- Auto-scaling node groups
- OIDC provider configuration
- Add-ons management
-
ACM (50-acm/)
- SSL/TLS certificates
- Domain validation
- Wildcard certificates
- Auto-renewal setup
-
ALB Ingress Controller (60-ingress-alb/)
- Application Load Balancer
- SSL termination
- Path-based routing
- Health checks
-
ECR (70-ecr/)
- Container registry
- Image scanning
- Lifecycle policies
- Cross-account access
-
VPN
- Alternative to Bastion host
- Direct access from Windows laptops
- Secure connection to private resources
-
CloudFront CDN
- Global content delivery
- Edge caching
- HTTPS enforcement
- Custom domain support
cd 00-vpc
terraform init
terraform plan
terraform applycd ../10-sg
terraform init
terraform plan
terraform applycd ../20-bastion
terraform init
terraform plan
terraform applycd ../30-db
terraform init
terraform plan
terraform applycd ../40-eks
terraform init
terraform plan
terraform applycd ../50-acm
terraform init
terraform plan
terraform applycd ../60-ingress-alb
terraform init
terraform plan
terraform applycd ../70-ecr
terraform init
terraform plan
terraform apply-
SSH to bastion:
ssh -i "path/to/key.pem" ubuntu@<bastion-public-ip>
-
Configure AWS CLI:
aws configure # Enter your AWS credentials when prompted -
Configure kubectl:
aws eks update-kubeconfig --region us-east-1 --name <cluster-name>
-
Verify cluster access:
kubectl get nodes
-
Connect to RDS through bastion:
mysql -h <db-r53-address> -u root -pExpenseApp1
-
Initialize database:
- Schema is created during RDS provisioning
- Execute backend.sql for:
- Table creation
- User setup
- Privilege configuration
-
Create OIDC provider:
eksctl utils associate-iam-oidc-provider \ --region us-east-1 \ --cluster <cluster-name> \ --approve
-
Download IAM policy:
curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.8.1/docs/install/iam_policy.json
-
Create IAM policy:
aws iam create-policy \ --policy-name AWSLoadBalancerControllerIAMPolicy \ --policy-document file://iam-policy.json
-
Create service account:
eksctl create iamserviceaccount \ --cluster=<cluster-name> \ --namespace=kube-system \ --name=aws-load-balancer-controller \ --attach-policy-arn=arn:aws:iam::<AWS_ACCOUNT_ID>:policy/AWSLoadBalancerControllerIAMPolicy \ --override-existing-serviceaccounts \ --approve
-
Install Load Balancer Controller:
# Add Helm repo helm repo add eks https://aws.github.io/eks-charts # Install controller helm install aws-load-balancer-controller eks/aws-load-balancer-controller \ -n kube-system \ --set clusterName=<cluster-name> \ --set serviceAccount.create=false \ --set serviceAccount.name=aws-load-balancer-controller
-
Verify installation:
kubectl get pods -n kube-system | grep aws-load-balancer-controller
- Always follow the deployment sequence to avoid dependency issues
- Back up Terraform state files regularly
- Use consistent tagging for resources
- Monitor costs and resource usage
- Keep security groups and access rules updated
- Regularly rotate credentials and keys