DEV Community: Mart Young The latest articles on DEV Community by Mart Young (@mart_young_ce778e4c31eb33). https://dev.to/mart_young_ce778e4c31eb33 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2785230%2F09bb2b0e-91c2-4a71-ae74-34155ec3b326.png DEV Community: Mart Young https://dev.to/mart_young_ce778e4c31eb33 en 🧪 Selling Digital Privacy - My GDRP Toolkit Journey Mart Young Fri, 12 Dec 2025 09:25:24 +0000 https://dev.to/mart_young_ce778e4c31eb33/selling-digital-privacy-my-gdrp-toolkit-journey-k25 https://dev.to/mart_young_ce778e4c31eb33/selling-digital-privacy-my-gdrp-toolkit-journey-k25 <p><strong>Two months ago, I shelved my GDRP toolkit project halfway.</strong> Thoughts like "who cares?", "How accurate enough can this be", and mostly, "Who would want to buy?" was constantly what i had to deal with every step of the way. </p> <p>Well, it's live on Gumroad, the idea of helping others navigate compliance and also generating a trickle of passive income is now a reality.</p> <blockquote> <p>How I built, launched, and learned from my first difital product focusing on one of internet's most intimidating acronyms - <strong>GDRP</strong>.</p> </blockquote> <h2> Why GDRP </h2> <p>I built a <strong>GDRP-Compliant AWS infrastructure setup using Terraform</strong>, packaged with detailed documentation, reuseable Terraform modules, and deployment templates. Think of it as a <strong>plug-and-play toolkit</strong> for DevOps engineers, founders. or freelancers who want to launch EU-friendly cloud products without hiring a privacy lawyer.</p> <p><strong>Why GDRP?</strong> As a DevOps engineer who has worked across cloud infrastructure and compliance-heavy idustries over time, I have witnessed first hand how intimidating data privacy laws can be, especially for small teams. It's not like they <em>don't care</em>, they are just overwhlmed, confused or resource-strapped. <br> And that was my in.</p> <h2> What Sparked this Project </h2> <p>One thing is quite clear <strong>GDRP is notoriously vague</strong>, and AWS on the other hand is notoriously complex. When the two mix, they live choas in their wake.</p> <p>As a DevOps engineer and cloud consultant, I kept noticing a pattern - <strong>most clients know they needed GDRP compliance</strong>, but rarely knew where or how to start. Some just copy-paste outdated checklists, others would trust their cloud setup defaults. One client even said, <em>"We're GDRP-ready because we use AWS. Right?"</em></p> <p>Spoiler alert: <strong>Wrong</strong>.</p> <p>This was when it hit me <strong>What if i could codify compliance</strong> into reuseable infra that meets GDPR standards <strong>by design</strong>?</p> <h2> The Dice was cast (and Nearly Giving Up) </h2> <h3> Research &amp; Validation </h3> <p>Before writing a single line of Terraform, I asked around <em>freelancer communities, Reddit and whatsapp groups</em>. I posted a simple question: <strong>"Would a pre-built GDRP-friendly AWS starter kit help you or your clients?"</strong></p> <p>The responses were quite encouraging. Some even offered to pay for an early copy.</p> <h3> 🛠️ Tools I Used </h3> <ul> <li> <strong>Terraform</strong>: For infrastructure-as-code module (VPCs, ECS, RDS, KMS, S3, CloudTrail, Cloudwatch, IAM - all privacy-hardened).</li> <li> <strong>Notion</strong>: For organizing my checklist and writing the compliance documentation.</li> <li> <strong>VS Code &amp; Github</strong>: My dev and version control environment</li> </ul> <h3> ⏳ Development Time </h3> <p>I worked this project mostly late in the evenings and during the weekends. It took me about <strong>~35 hours over 4 weeks.</strong> Mostly spent on:</p> <ul> <li>Testing and re-testing deployments.</li> <li>Writing clean, expandable Terraform code.</li> <li>Making sure every module met GDRP principles: data encryption, logging, auditability and region restrictions.</li> </ul> <h3> Bigest Challenge? </h3> <p><strong>Legal confidence.</strong> Like yok already know, I'm not a lawyer, I had to make sure the toolkit aligned with <em>technical requirements</em> of GDRP. Not just the spirit, but also the letters. I had to review the <a href="https://ico.org.uk/" rel="noopener noreferrer">ICO guidance</a>, read AWS whitepapers extensively and had a privacy advisor look over the docs. (worth every penny).</p> <h2> Launching on Gumroad </h2> <h3> 🛒 Why? </h3> <p>I chose <strong>Gumroad</strong> for three reasons:</p> <ol> <li> <strong>No upfront cost</strong>, perfect for testing the waters.</li> <li> <strong>Simple setup</strong>, I could lauch in munites.</li> <li> <strong>Digital product friendly</strong>, Gumroad's audience <em>gets</em> toolkits, templates, and niche SaaS assets.</li> </ol> <h3> 💰 Pricing Strategy </h3> <p>I decided on <strong>\$59 for personal use</strong> and <strong>\$99 for basic comercial/agency use</strong>. <br> Why?</p> <ul> <li>It undercut most legal templates. </li> <li>The value was in <em>saving time</em> and <em>avoiding legal risk</em> a nightmare for freelancers and bootstrapped startups.</li> </ul> <h2> What I Learned </h2> <h3> 📈 Results </h3> <ul> <li> <strong>Over \$600 in sales</strong> within first 2 weeks.</li> <li> <strong>X former Twitter</strong>, followered by direct links via Emails</li> <li> <strong>11 purchases</strong>: mostly personal use </li> <li> <strong>Most customers were freelancers</strong>, not startup founders. That flipped my assumptions</li> <li> <strong>Gumroad discovery is weak</strong>. Most sales came from <em>my own network</em>, not their marketplace</li> <li> <strong>"Compliance" sounds boring.</strong> I got better results using phrases like <em>"data privacy-ready"</em> and <em>"cloud compliance toolkit"</em>.</li> </ul> <h3> Lessons Learned </h3> <ul> <li> <strong>Overdeliver with clarity.</strong> Documentation matters more than design.</li> <li> <strong>People pay for simplicity.</strong> Just making AWS + GDRP less intimidating is valuable.</li> </ul> <h2> What's Next? </h2> <ul> <li> <strong>Expanding the kit</strong> to include support for other cloud providers like Azure &amp; GCP.</li> <li> <strong>Creating a micro-course</strong> on GDRP-compliant cloud design.</li> <li> <strong>Exploring privacy laws beyond GDRP</strong>, like CCPA or Brazil's LGPD</li> </ul> <p>I am also testing selling on <strong>Lemon Squeezy or Payhip</strong> for a better visibiity.</p> <h2> Final Thoughts </h2> <p>I did not set out to "start a business", just to solve a problem I noticed over and over again. If you are thinking about lauching your own digital product, here's my nugde: <strong>Pick a niche, validate it fast, and ship even if it's not perfect.</strong></p> <p>Want to check out the toolkit? <a href="https://martyoung.gumroad.com/l/swhae" rel="noopener noreferrer">Use this Here link</a><br> Got any questions? I'd love to hear your thoughts.</p> privacy showdev terraform aws Build a Blue/Green deployment with Nginx Auto-Failover Mart Young Tue, 09 Dec 2025 15:54:05 +0000 https://dev.to/mart_young_ce778e4c31eb33/build-a-bluegreen-deployment-with-nginx-auto-failover-4fji https://dev.to/mart_young_ce778e4c31eb33/build-a-bluegreen-deployment-with-nginx-auto-failover-4fji <p><em>Imagine you run two identical kitchens: Blue and Green. One serves customers, the other is warmed up and ready. If the active kitchen has trouble, you quietly switch orders to the standby and nobody notices. That’s Blue/Green. In this post we’ll build it ourselves, line by line, with Nginx doing the instant handoff—no prior code or prebuilt images required.</em></p> <h2> How It Fits Together (Quick Map) </h2> <ul> <li> <strong>Nginx</strong>: Front door. Sends traffic to the main pool, retries fast, and falls back to backup if the main one misbehaves. Logs everything as JSON.</li> <li> <strong>Apps (Blue &amp; Green)</strong>: Same Node.js app, two copies. Env vars label which is which. They expose <code>/healthz</code>, <code>/version</code>, and chaos endpoints so we can test.</li> <li> <strong>Dockerfile</strong>: Builds the app once; both Blue and Green use it.</li> <li> <strong>docker-compose.yaml</strong>: Starts both apps, Nginx, and (if you want) the Slack watcher. Sets ports and health checks.</li> <li> <strong>nginx.conf.template</strong>: Tells Nginx who’s primary, who’s backup, and to be impatient with failures.</li> <li> <strong>watcher.py</strong>: Reads Nginx logs and posts to Slack when failover or high errors happen (optional, but helpful).</li> <li> <strong>.env</strong>: One place to pick the active pool and set labels/alert thresholds.</li> </ul> <h2> What You’ll Learn </h2> <ul> <li>Blue/Green basics (two identical apps, one live, one ready).</li> <li>How Nginx routes to a primary and instantly falls back to a backup.</li> <li>Why health checks, short timeouts, and retries make failover fast.</li> <li>How to add chaos endpoints to <em>prove</em> failover works.</li> <li>How to read structured logs (and send Slack alerts) so you know which pool served traffic.</li> <li>How to wire it all together with Docker Compose—no Kubernetes needed.</li> </ul> <h2> Prerequisites </h2> <ul> <li>Docker + Docker Compose.</li> <li>Node.js (so we can build the tiny app locally).</li> <li>(Optional) Slack webhook URL if you want alerts.</li> <li>A terminal and a text editor. That’s it.</li> </ul> <h2> 1) Create the Project from Scratch </h2> <p>Let’s start with nothing and build every file ourselves. Copy/paste is fine—understanding why each piece exists is the real goal.</p> <h3> 1.1 package.json </h3> <p>This defines our minimal Node app and its dependencies.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&gt;</span> package.json <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">EOF</span><span class="sh">' { "name": "blue-green-app", "version": "1.0.0", "main": "app.js", "license": "MIT", "scripts": { "start": "node app.js" }, "dependencies": { "express": "^4.18.2" } } </span><span class="no">EOF </span></code></pre> </div> <h3> 1.2 app.js (with health + chaos endpoints) </h3> <p>This tiny server:</p> <ul> <li>Responds to <code>/healthz</code> so Nginx can decide if we’re alive.</li> <li>Responds to <code>/version</code> with headers that tell us which pool handled the request.</li> <li>Has chaos endpoints so we can intentionally break one pool and watch traffic fail over. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&gt;</span> app.js <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">EOF</span><span class="sh">' const express = require('express'); const app = express(); const APP_POOL = process.env.APP_POOL || 'unknown'; const RELEASE_ID = process.env.RELEASE_ID || 'unknown'; const PORT = process.env.PORT || 3000; let chaosMode = false; let chaosType = 'error'; // 'error' or 'timeout' // Add headers for tracing app.use((req, res, next) =&gt; { res.setHeader('X-App-Pool', APP_POOL); res.setHeader('X-Release-Id', RELEASE_ID); next(); }); app.get('/', (req, res) =&gt; { res.json({ service: 'Blue/Green Demo', pool: APP_POOL, releaseId: RELEASE_ID, status: chaosMode ? 'chaos' : 'healthy', chaosMode, chaosType: chaosMode ? chaosType : null, timestamp: new Date().toISOString(), endpoints: { version: '/version', health: '/healthz', chaos: '/chaos/start, /chaos/stop' } }); }); app.get('/healthz', (req, res) =&gt; { res.status(200).json({ status: 'healthy', pool: APP_POOL }); }); app.get('/version', (req, res) =&gt; { if (chaosMode &amp;&amp; chaosType === 'error') return res.status(500).json({ error: 'Chaos: server error' }); if (chaosMode &amp;&amp; chaosType === 'timeout') return; // simulate hang res.json({ version: '1.0.0', pool: APP_POOL, releaseId: RELEASE_ID, timestamp: new Date().toISOString() }); }); app.post('/chaos/start', (req, res) =&gt; { const mode = req.query.mode || 'error'; chaosMode = true; chaosType = mode; res.json({ message: 'Chaos started', mode, pool: APP_POOL }); }); app.post('/chaos/stop', (req, res) =&gt; { chaosMode = false; chaosType = 'error'; res.json({ message: 'Chaos stopped', pool: APP_POOL }); }); app.listen(PORT, '0.0.0.0', () =&gt; { console.log(`App (</span><span class="k">${</span><span class="nv">APP_POOL</span><span class="k">}</span><span class="sh">) listening on </span><span class="k">${</span><span class="nv">PORT</span><span class="k">}</span><span class="sh">`); console.log(`Release ID: </span><span class="k">${</span><span class="nv">RELEASE_ID</span><span class="k">}</span><span class="sh">`); }); </span><span class="no">EOF </span></code></pre> </div> <h3> 1.3 Dockerfile (build the app image) </h3> <p>We’ll build the same image for Blue and Green; only the environment variables differ.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&gt;</span> Dockerfile <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">EOF</span><span class="sh">' FROM node:18-alpine WORKDIR /app # Install dependencies COPY package*.json ./ RUN npm install --only=production # Copy app code COPY . . EXPOSE 3000 CMD ["npm", "start"] </span><span class="no">EOF </span></code></pre> </div> <h2> 2) Nginx Config (Auto-Failover Upstreams) </h2> <p>Nginx is our traffic director. We template it so a single env var (<code>ACTIVE_POOL</code>) chooses who is primary. Create <code>nginx.conf.template</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&gt;</span> nginx.conf.template <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">EOF</span><span class="sh">' events { worker_connections 1024; } http { # Structured JSON access logs log_format custom_json '{"time":"</span><span class="nv">$time_iso8601</span><span class="sh">"' ',"remote_addr":"</span><span class="nv">$remote_addr</span><span class="sh">"' ',"method":"</span><span class="nv">$request_method</span><span class="sh">"' ',"uri":"</span><span class="nv">$request_uri</span><span class="sh">"' ',"status":</span><span class="nv">$status</span><span class="sh">' ',"bytes_sent":</span><span class="nv">$bytes_sent</span><span class="sh">' ',"request_time":</span><span class="nv">$request_time</span><span class="sh">' ',"upstream_response_time":"</span><span class="nv">$upstream_response_time</span><span class="sh">"' ',"upstream_status":"</span><span class="nv">$upstream_status</span><span class="sh">"' ',"upstream_addr":"</span><span class="nv">$upstream_addr</span><span class="sh">"' ',"pool":"</span><span class="nv">$sent_http_x_app_pool</span><span class="sh">"' ',"release":"</span><span class="nv">$sent_http_x_release_id</span><span class="sh">"}'; upstream blue_pool { server app-blue:3000 max_fails=1 fail_timeout=3s; server app-green:3000 backup; } upstream green_pool { server app-green:3000 max_fails=1 fail_timeout=3s; server app-blue:3000 backup; } server { listen 80; server_name localhost; # Write JSON logs (shared volume) access_log /var/log/nginx/access.json custom_json; # Health check for LB location /healthz { access_log off; return 200 "healthy</span><span class="se">\n</span><span class="sh">"; add_header Content-Type text/plain; } location / { proxy_pass http://</span><span class="nv">$UPSTREAM_POOL</span><span class="sh">; proxy_set_header Host </span><span class="nv">$host</span><span class="sh">; proxy_set_header X-Real-IP </span><span class="nv">$remote_addr</span><span class="sh">; proxy_set_header X-Forwarded-For </span><span class="nv">$proxy_add_x_forwarded_for</span><span class="sh">; proxy_set_header X-Forwarded-Proto </span><span class="nv">$scheme</span><span class="sh">; proxy_connect_timeout 1s; proxy_send_timeout 3s; proxy_read_timeout 3s; proxy_next_upstream error timeout http_500 http_502 http_503 http_504; proxy_next_upstream_tries 2; proxy_next_upstream_timeout 10s; proxy_pass_request_headers on; proxy_hide_header X-Powered-By; } } } </span><span class="no">EOF </span></code></pre> </div> <p><strong>Why these settings? (plain English)</strong></p> <ul> <li> <code>max_fails=1 fail_timeout=3s</code>: one bad request is enough to say “try the other one” for a few seconds.</li> <li>Short timeouts (1s connect, 3s send/read): don’t wait around; switch fast.</li> <li> <code>proxy_next_upstream</code> + retries: if the main one errors or stalls, immediately try the backup within ~10s total.</li> </ul> <blockquote> <p>What just happened? Nginx knows who’s main, who’s backup, and to give up quickly on a slow/broken main.</p> </blockquote> <h2> 3) Optional Alerts: watcher.py + requirements.txt </h2> <p>Think of this as a friendly pager: it reads Nginx’s JSON logs and pings Slack when failover happens or errors spike. If you don’t want alerts, you can skip this section and remove the watcher service later.</p> <p><code>requirements.txt</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&gt;</span> requirements.txt <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">EOF</span><span class="sh">' requests==2.32.3 </span><span class="no">EOF </span></code></pre> </div> <p><code>watcher.py</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&gt;</span> watcher.py <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">EOF</span><span class="sh">' import json, os, time, requests from collections import deque from datetime import datetime, timezone LOG_PATH = os.environ.get("NGINX_LOG_FILE", "/var/log/nginx/access.json") SLACK_WEBHOOK_URL = os.environ.get("SLACK_WEBHOOK_URL", "") SLACK_PREFIX = os.environ.get("SLACK_PREFIX", "from: @Watcher") ACTIVE_POOL = os.environ.get("ACTIVE_POOL", "blue") ERROR_RATE_THRESHOLD = float(os.environ.get("ERROR_RATE_THRESHOLD", "2")) WINDOW_SIZE = int(os.environ.get("WINDOW_SIZE", "200")) ALERT_COOLDOWN_SEC = int(os.environ.get("ALERT_COOLDOWN_SEC", "300")) MAINTENANCE_MODE = os.environ.get("MAINTENANCE_MODE", "false").lower() == "true" def now_iso(): return datetime.now(timezone.utc).isoformat() def post_to_slack(text: str): if not SLACK_WEBHOOK_URL: return try: requests.post(SLACK_WEBHOOK_URL, json={"text": f"{SLACK_PREFIX} | {text}"}, timeout=5).raise_for_status() except Exception: pass def parse(line: str): try: data = json.loads(line.strip()) return { "pool": data.get("pool"), "release": data.get("release"), "status": int(data["status"]) if data.get("status") else None, "upstream_status": str(data.get("upstream_status") or ""), "upstream_addr": data.get("upstream_addr"), } except Exception: return None class AlertState: def __init__(self): self.last_pool = ACTIVE_POOL self.window = deque(maxlen=WINDOW_SIZE) self.cooldowns = {} def cooldown_ok(self, key): now = time.time() last = self.cooldowns.get(key) if last is None or (now - last) &gt;= ALERT_COOLDOWN_SEC: self.cooldowns[key] = now return True return False def error_rate_pct(self): if not self.window: return 0.0 err = 0 for evt in self.window: if any(s.startswith("5") for s in evt.get("upstream_status","").split(",") if s): err += 1 elif evt.get("status") and 500 &lt;= int(evt["status"]) &lt;= 599: err += 1 return (err / len(self.window)) * 100.0 def handle(self, evt): self.window.append(evt) if MAINTENANCE_MODE: return pool = evt.get("pool") if pool and self.last_pool and pool != self.last_pool: if self.cooldown_ok(f"failover_to_{pool}"): post_to_slack(f"*Failover Detected*: {self.last_pool} → {pool}</span><span class="se">\n</span><span class="sh">• time: {now_iso()}</span><span class="se">\n</span><span class="sh">• error_rate: {self.error_rate_pct():.2f}%</span><span class="se">\n</span><span class="sh">• upstream: {evt.get('upstream_addr')}") self.last_pool = pool if len(self.window) &gt;= max(10, int(WINDOW_SIZE * 0.5)): rate = self.error_rate_pct() if rate &gt; ERROR_RATE_THRESHOLD and self.cooldown_ok(f"error_rate_{int(round(rate))}"): post_to_slack(f"*High Error Rate*: {rate:.2f}% over last {len(self.window)} requests</span><span class="se">\n</span><span class="sh">• time: {now_iso()}</span><span class="se">\n</span><span class="sh">• active_pool: {pool or self.last_pool}") def tail(path): with open(path, "r") as f: f.seek(0, os.SEEK_END) while True: line = f.readline() if not line: time.sleep(0.2) continue yield line def main(): state = AlertState() while not os.path.exists(LOG_PATH): time.sleep(0.5) for line in tail(LOG_PATH): evt = parse(line) if evt: state.handle(evt) if __name__ == "__main__": main() </span><span class="no">EOF </span></code></pre> </div> <h2> 4) docker-compose.yaml (Build + Orchestrate) </h2> <p>Compose glues everything together: it builds the single app image, runs it twice (Blue/Green), starts Nginx, and (optionally) the Slack watcher. This is the “one file to rule them all.”<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&gt;</span> docker-compose.yaml <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">EOF</span><span class="sh">' version: '3.8' services: app-blue: build: context: . dockerfile: Dockerfile container_name: blue-app environment: - APP_POOL=blue - RELEASE_ID=</span><span class="k">${</span><span class="nv">RELEASE_ID_BLUE</span><span class="k">}</span><span class="sh"> - PORT=</span><span class="k">${</span><span class="nv">PORT</span><span class="k">:-</span><span class="nv">3000</span><span class="k">}</span><span class="sh"> ports: - "8081:3000" healthcheck: test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://127.0.0.1:3000/healthz || exit 1"] interval: 5s timeout: 3s retries: 3 start_period: 10s app-green: build: context: . dockerfile: Dockerfile container_name: green-app environment: - APP_POOL=green - RELEASE_ID=</span><span class="k">${</span><span class="nv">RELEASE_ID_GREEN</span><span class="k">}</span><span class="sh"> - PORT=</span><span class="k">${</span><span class="nv">PORT</span><span class="k">:-</span><span class="nv">3000</span><span class="k">}</span><span class="sh"> ports: - "8082:3000" healthcheck: test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://127.0.0.1:3000/healthz || exit 1"] interval: 5s timeout: 3s retries: 3 start_period: 10s nginx: image: nginx:alpine container_name: nginx-lb ports: - "8080:80" environment: - ACTIVE_POOL=</span><span class="k">${</span><span class="nv">ACTIVE_POOL</span><span class="k">}</span><span class="sh"> - UPSTREAM_POOL=</span><span class="k">${</span><span class="nv">ACTIVE_POOL</span><span class="k">}</span><span class="sh">_pool volumes: - ./nginx.conf.template:/etc/nginx/nginx.conf.template:ro - nginx_logs:/var/log/nginx depends_on: - app-blue - app-green command: &gt; sh -c " envsubst '</span><span class="nv">$$</span><span class="sh">UPSTREAM_POOL' &lt; /etc/nginx/nginx.conf.template &gt; /etc/nginx/nginx.conf &amp;&amp; nginx -g 'daemon off;' " alert_watcher: image: python:3.11-slim container_name: alert-watcher depends_on: - nginx environment: - SLACK_WEBHOOK_URL=</span><span class="k">${</span><span class="nv">SLACK_WEBHOOK_URL</span><span class="k">}</span><span class="sh"> - SLACK_PREFIX=</span><span class="k">${</span><span class="nv">SLACK_PREFIX</span><span class="k">:-</span><span class="nv">from</span>:<span class="p"> @Watcher</span><span class="k">}</span><span class="sh"> - ACTIVE_POOL=</span><span class="k">${</span><span class="nv">ACTIVE_POOL</span><span class="k">}</span><span class="sh"> - ERROR_RATE_THRESHOLD=</span><span class="k">${</span><span class="nv">ERROR_RATE_THRESHOLD</span><span class="k">:-</span><span class="nv">2</span><span class="k">}</span><span class="sh"> - WINDOW_SIZE=</span><span class="k">${</span><span class="nv">WINDOW_SIZE</span><span class="k">:-</span><span class="nv">200</span><span class="k">}</span><span class="sh"> - ALERT_COOLDOWN_SEC=</span><span class="k">${</span><span class="nv">ALERT_COOLDOWN_SEC</span><span class="k">:-</span><span class="nv">300</span><span class="k">}</span><span class="sh"> - MAINTENANCE_MODE=</span><span class="k">${</span><span class="nv">MAINTENANCE_MODE</span><span class="k">:-</span><span class="nv">false</span><span class="k">}</span><span class="sh"> - NGINX_LOG_FILE=/var/log/nginx/access.json volumes: - nginx_logs:/var/log/nginx - ./watcher.py:/opt/watcher/watcher.py:ro - ./requirements.txt:/opt/watcher/requirements.txt:ro command: &gt; sh -c "pip install --no-cache-dir -r /opt/watcher/requirements.txt &amp;&amp; python /opt/watcher/watcher.py" volumes: nginx_logs: </span><span class="no">EOF </span></code></pre> </div> <blockquote> <p>Want it ultra-minimal? Comment out/remove <code>alert_watcher</code> if you don’t need Slack alerts. The stack still works without it.</p> <p>What just happened? We wired four pieces: one shared app image, two containers (Blue/Green) with different env vars, Nginx in front, and an optional watcher that shares Nginx logs.</p> </blockquote> <h2> 5) .env (Wire It All Up) </h2> <p>One place for all the knobs: which pool is primary, release labels, and alert thresholds. Changing <code>ACTIVE_POOL</code> later lets you flip who is “live” without touching code.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&gt;</span> .env <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">EOF</span><span class="sh">' # Which pool is primary (blue or green) ACTIVE_POOL=blue # Release IDs (just labels for observability) RELEASE_ID_BLUE=release-v1.0.0-blue RELEASE_ID_GREEN=release-v1.0.0-green # App port inside the container PORT=3000 # Optional Slack alerts SLACK_WEBHOOK_URL= SLACK_PREFIX=from: @YourName ERROR_RATE_THRESHOLD=2 WINDOW_SIZE=200 ALERT_COOLDOWN_SEC=300 MAINTENANCE_MODE=false </span><span class="no">EOF </span></code></pre> </div> <h2> 6) Run Everything </h2> <p>Bring the whole stack up. Compose will build the image once and reuse it for both Blue and Green, then start Nginx and the watcher.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose up <span class="nt">-d</span> docker compose ps </code></pre> </div> <p>You should see containers for blue, green, nginx, and (optionally) alert-watcher.</p> <h2> 7) Sanity Checks </h2> <p>These calls prove traffic flows and headers are set so you can tell which pool responded.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Through Nginx (main entry)</span> curl http://localhost:8080/version <span class="c"># Direct to Blue</span> curl http://localhost:8081/version <span class="c"># Direct to Green</span> curl http://localhost:8082/version </code></pre> </div> <p>You should see JSON with <code>pool</code> and <code>releaseId</code>. By default, Blue is <br> active.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9mkjqrbpn5n7q3zkivng.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9mkjqrbpn5n7q3zkivng.png" alt="Live Endpoint" width="800" height="282"></a></p> <h2> 8) Prove Auto-Failover (Chaos Testing) </h2> <p>Time to break things on purpose. We’ll poison Blue and watch Nginx slide traffic to Green without customers seeing errors.</p> <p>1) Baseline (Blue active):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://localhost:8080/version <span class="c"># Expect X-App-Pool: blue</span> </code></pre> </div> <p>2) Break Blue:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST http://localhost:8081/chaos/start?mode<span class="o">=</span>error </code></pre> </div> <p>3) Check via Nginx:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://localhost:8080/version <span class="c"># Expect X-App-Pool: green (failover)</span> </code></pre> </div> <p>4) Heal Blue:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST http://localhost:8081/chaos/stop </code></pre> </div> <p>5) Try timeout chaos:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST http://localhost:8081/chaos/start?mode<span class="o">=</span><span class="nb">timeout</span> </code></pre> </div> <p>6) Light load test (should stay 200s, most from active pool):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..50<span class="o">}</span><span class="p">;</span> <span class="k">do </span>curl <span class="nt">-s</span> http://localhost:8080/version <span class="o">&gt;</span>/dev/null<span class="p">;</span> <span class="k">done</span> </code></pre> </div> <blockquote> <p>What just happened? We proved failover under two kinds of pain: errors and timeouts. Nginx noticed, retried, and shifted traffic to keep responses healthy.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F66kgjbywkbvlf36l33k1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F66kgjbywkbvlf36l33k1.png" alt="Chaos Mode" width="800" height="215"></a></p> <h2> 9) Switch Pools Manually </h2> <p>Edit <code>.env</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ACTIVE_POOL=green </code></pre> </div> <p>Restart:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose down docker compose up <span class="nt">-d</span> </code></pre> </div> <p>Nginx will now route to Green as primary, Blue as backup.</p> <h2> 10) Slack Alerts (If Enabled) </h2> <p>If you kept <code>alert_watcher</code>, set <code>SLACK_WEBHOOK_URL</code> in <code>.env</code>, then:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose up <span class="nt">-d</span> </code></pre> </div> <p>Trigger chaos on Blue:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST http://localhost:8081/chaos/start?mode<span class="o">=</span>error <span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..50<span class="o">}</span><span class="p">;</span> <span class="k">do </span>curl <span class="nt">-s</span> http://localhost:8080/version <span class="o">&gt;</span>/dev/null<span class="p">;</span> <span class="k">done </span>curl <span class="nt">-X</span> POST http://localhost:8081/chaos/stop </code></pre> </div> <p>You should see Slack messages for failover and (if errors &gt; threshold) high error rate. Tune thresholds in <code>.env</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1jph2sgkpiynwe9w7sqf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1jph2sgkpiynwe9w7sqf.png" alt="Slack Alert" width="800" height="365"></a></p> <blockquote> <p>What just happened? The watcher tailed Nginx’s JSON logs, spotted failover/high-error signals, and pinged Slack so humans know immediately.</p> </blockquote> <h2> 11) Cleanup </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose down <span class="c"># Full clean (images/volumes):</span> docker compose down <span class="nt">-v</span> <span class="nt">--rmi</span> all </code></pre> </div> <blockquote> <p>What just happened? We shut down everything, and if you ran the full clean, you also removed images and volumes for a fresh slate next time.</p> </blockquote> <h2> Troubleshooting Quick Hits </h2> <ul> <li> <strong>Ports busy</strong>: Free 8080/8081/8082 or change mappings in compose.</li> <li> <strong>No failover</strong>: Check health endpoints (<code>/healthz</code>), timeouts, and chaos mode.</li> <li> <strong>Headers missing</strong>: Ensure app sets <code>X-App-Pool</code>/<code>X-Release-Id</code> and Nginx passes headers.</li> <li> <strong>Slack silent</strong>: Verify webhook, internet egress, and watcher logs.</li> <li> <strong>Slow failover</strong>: Tighten timeouts (<code>proxy_connect_timeout</code>, <code>max_fails</code>, <code>fail_timeout</code>).</li> </ul> <h2> Why This Matters </h2> <ul> <li> <strong>Zero downtime</strong>: Swap versions or survive failures without users noticing.</li> <li> <strong>Confidence</strong>: Chaos testing proves failover actually works.</li> <li> <strong>Clarity</strong>: Structured logs + headers show exactly who served each request.</li> <li> <strong>Simplicity</strong>: Docker Compose + Nginx — no Kubernetes required.</li> </ul> <h2> Next Steps </h2> <ul> <li>Add CI to build/push the app image, tag blue/green releases.</li> <li>Add canary routing (gradual traffic shift) on top of blue/green.</li> <li>Ship logs to ELK/Datadog, add dashboards.</li> <li>Extend alerts to email/PagerDuty.</li> </ul> <p><strong>You just built Blue/Green with automatic failover, chaos testing, and optional Slack alerts — from scratch. Happy shipping! 🚀</strong></p> devops node architecture tutorial From Zero to Production: A Complete Guide to Deploying Microservices with Terraform, Ansible and CI/CD Mart Young Tue, 09 Dec 2025 15:30:22 +0000 https://dev.to/mart_young_ce778e4c31eb33/from-zero-to-production-a-complete-guide-to-deploying-microservices-with-terraform-ansible-and-3nbf https://dev.to/mart_young_ce778e4c31eb33/from-zero-to-production-a-complete-guide-to-deploying-microservices-with-terraform-ansible-and-3nbf <p><em>How I built a production-ready DevOps pipeline for a microservices TODO application - and how you can too, even if you're just starting out.</em></p> <h2> Introduction: Why This Matters </h2> <p>If you're reading this, you've probably heard terms like "DevOps," "Infrastructure as Code," and "CI/CD" thrown around, but maybe you're not entirely sure what they mean or how they fit together. That's exactly where I was when I started.</p> <p>This guide isn't just about completing a task - it's about understanding the <strong>why</strong> behind each decision, learning from common mistakes, and building something you can be proud of. By the end, you'll have deployed a real application to the cloud with automated infrastructure, proper security, and a professional workflow.</p> <p><strong>What you'll build:</strong></p> <ul> <li>A microservices application with 5 different services (Vue.js, Go, Node.js, Java, Python)</li> <li>Automated cloud infrastructure using Terraform</li> <li>Server configuration and deployment with Ansible</li> <li>CI/CD pipelines that detect when things go wrong</li> <li>Multi-environment setup (dev, staging, production)</li> <li>Secure HTTPS with automatic SSL certificates</li> <li>A single command that deploys everything</li> </ul> <p><strong>What you'll learn:</strong></p> <ul> <li>How containerization actually works (beyond just "docker run")</li> <li>Why infrastructure as code matters (and how it saves you from disasters)</li> <li>How to think about security in a cloud environment</li> <li>The importance of automation and what happens when you skip it</li> </ul> <p>Let's dive in.</p> <h2> Part 1: Understanding What We're Building </h2> <p>Before we start writing code, let's understand what we're actually building. This isn't just a TODO app - it's a <strong>microservices architecture</strong>, which means instead of one big application, we have multiple small services that work together.</p> <h3> The Architecture </h3> <p>Think of it like a restaurant:</p> <ul> <li> <strong>Frontend (Vue.js)</strong> - The dining room where customers interact</li> <li> <strong>Auth API (Go)</strong> - The host who checks if you have a reservation (authentication)</li> <li> <strong>Todos API (Node.js)</strong> - The waiter who takes your order (manages your todos)</li> <li> <strong>Users API (Java)</strong> - The manager who knows all the customers (user management)</li> <li> <strong>Log Processor (Python)</strong> - The kitchen staff who process orders (background processing)</li> <li> <strong>Redis</strong> - The order board where everyone can see what's happening (message queue)</li> </ul> <p>Each service runs in its own container, which is like giving each part of the restaurant its own kitchen. If the waiter (Todos API) has a problem, it doesn't crash the whole restaurant.</p> <h3> Why Containerization? </h3> <p>You might be thinking: "Why not just run everything on one server?" Great question! Here's why containers matter:</p> <ol> <li> <strong>Isolation</strong>: If one service crashes, others keep running</li> <li> <strong>Consistency</strong>: "It works on my machine" becomes "it works everywhere"</li> <li> <strong>Scalability</strong>: Need more power? Spin up more containers</li> <li> <strong>Portability</strong>: Move from AWS to Azure? Just change where you run containers</li> </ol> <h3> The Challenge </h3> <p>The real challenge isn't just getting containers to run - it's:</p> <ul> <li>Making sure they can talk to each other</li> <li>Securing them with HTTPS</li> <li>Automating deployment so you don't manually SSH into servers</li> <li>Detecting when someone changes things manually (drift detection)</li> <li>Managing multiple environments without chaos</li> </ul> <p>That's what makes this a real-world project.</p> <h2> Part 2: Setting Up Your Development Environment </h2> <p>Before we write any code, let's make sure you have everything you need. Don't worry if some of these are new - I'll explain what each one does.</p> <h3> Required Accounts </h3> <p><strong>GitHub Account</strong> (Free)</p> <ul> <li>This is where your code lives and where CI/CD runs</li> <li>Think of it as your code's home and your automation's brain</li> <li>Sign up at github.com if you don't have one</li> </ul> <p><strong>AWS Account</strong> (Free tier available)</p> <ul> <li>This is where your servers will run</li> <li>AWS has a free tier that's perfect for learning</li> <li>You'll need a credit card, but we'll stay within free limits</li> <li>Sign up at aws.amazon.com</li> </ul> <p><strong>Domain Name</strong> (Optional but recommended - ~$10-15/year)</p> <ul> <li>This is your website's address (like <code>yourname.com</code>)</li> <li>You can use services like Namecheap, GoDaddy, or Cloudflare</li> <li> <strong>Why you need it</strong>: Let's Encrypt (free SSL) requires a real domain</li> <li> <strong>Alternative</strong>: You can test with <code>localhost</code> but won't get real SSL</li> </ul> <h3> Installing Required Tools </h3> <p><strong>Docker &amp; Docker Compose</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># On Ubuntu/Debian</span> <span class="nb">sudo </span>apt-get update <span class="nb">sudo </span>apt-get <span class="nb">install </span>docker.io docker-compose-plugin <span class="c"># Verify installation</span> docker <span class="nt">--version</span> docker compose version </code></pre> </div> <p><strong>What is Docker?</strong> Think of it as a shipping container for software. Just like shipping containers standardize how goods are transported, Docker standardizes how applications run.</p> <p><strong>Terraform</strong> (Version 1.5.0 or higher)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Download from hashicorp.com or use package manager</span> wget https://releases.hashicorp.com/terraform/1.5.0/terraform_1.5.0_linux_amd64.zip unzip terraform_1.5.0_linux_amd64.zip <span class="nb">sudo mv </span>terraform /usr/local/bin/ <span class="c"># Verify</span> terraform version </code></pre> </div> <p><strong>What is Terraform?</strong> It's like a blueprint for your cloud infrastructure. Instead of clicking buttons in AWS console (which you'll forget), you write code that describes what you want, and Terraform makes it happen.</p> <p><strong>Ansible</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>apt-get <span class="nb">install </span>ansible <span class="c"># Verify</span> ansible <span class="nt">--version</span> </code></pre> </div> <p><strong>What is Ansible?</strong> Think of it as a remote control for servers. Instead of SSHing into each server and typing commands, you write a "playbook" that tells Ansible what to do, and it does it on all your servers.</p> <p><strong>AWS CLI</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="s2">"https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"</span> <span class="nt">-o</span> <span class="s2">"awscliv2.zip"</span> unzip awscliv2.zip <span class="nb">sudo</span> ./aws/install <span class="c"># Configure with your credentials</span> aws configure </code></pre> </div> <p><strong>What is AWS CLI?</strong> It's a command-line interface to AWS. Instead of using the web console, you can control AWS from your terminal.</p> <h3> Setting Up AWS </h3> <p>This is where many beginners get stuck, so let's go through it step by step.</p> <h4> Step 1: Create an IAM User </h4> <p><strong>Why not use your root account?</strong> Security best practice - root account has unlimited power. If it gets compromised, your entire AWS account is at risk.</p> <ol> <li>Go to AWS Console → IAM → Users</li> <li>Click "Create user"</li> <li>Name it something like <code>terraform-user</code> </li> <li> <strong>Important</strong>: Check "Provide user access to the AWS Management Console" if you want console access, OR just programmatic access for CLI/API</li> <li>Attach policies: <ul> <li> <code>AmazonEC2FullAccess</code> (for creating servers)</li> <li> <code>AmazonS3FullAccess</code> (for storing Terraform state)</li> <li> <code>AmazonDynamoDBFullAccess</code> (for state locking)</li> <li> <code>AmazonSESFullAccess</code> (for email notifications)</li> </ul> </li> <li>Save the <strong>Access Key ID</strong> and <strong>Secret Access Key</strong> - you'll need these!</li> </ol> <h4> Step 2: Create S3 Bucket for Terraform State </h4> <p><strong>What is Terraform state?</strong> Terraform needs to remember what it created. This "memory" is stored in a state file. We put it in S3 so it's:</p> <ul> <li>Backed up automatically</li> <li>Accessible from anywhere</li> <li>Versioned (can see history)</li> </ul> <ol> <li>Go to S3 → Create bucket</li> <li>Name it something like <code>yourname-terraform-state</code> </li> <li> <strong>Important settings</strong>: <ul> <li>Region: Choose one (remember which one!)</li> <li>Block Public Access: Keep all enabled (security)</li> <li>Versioning: <strong>Enable this</strong> (so you can recover if state gets corrupted)</li> </ul> </li> <li>Click Create</li> </ol> <h4> Step 3: Create DynamoDB Table for State Locking </h4> <p><strong>Why do we need locking?</strong> Imagine two people trying to deploy at the same time. Without locking, they might both try to create the same server, causing conflicts. DynamoDB prevents this.</p> <ol> <li>Go to DynamoDB → Create table</li> <li>Table name: <code>terraform-state-lock</code> </li> <li>Partition key: <code>LockID</code> (type: String)</li> <li>Table settings: Use default</li> <li>Capacity: On-demand (pay per request - perfect for this use case)</li> <li>Click Create</li> </ol> <h4> Step 4: Create EC2 Key Pair </h4> <p><strong>What is a key pair?</strong> It's like a password, but more secure. Instead of typing a password, you use a private key file to authenticate.</p> <ol> <li>Go to EC2 → Key Pairs → Create key pair</li> <li>Name: <code>my-terraform-key</code> (or whatever you prefer)</li> <li>Key pair type: RSA</li> <li>Private key file format: <code>.pem</code> </li> <li>Click Create</li> <li> <strong>IMPORTANT</strong>: The <code>.pem</code> file downloads automatically. Save it somewhere safe! You'll need it to SSH into your servers.</li> </ol> <h4> Step 5: Verify AWS CLI Works </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test your credentials</span> aws sts get-caller-identity <span class="c"># Should show your user ARN</span> </code></pre> </div> <p>If this works, you're all set! If not, check your <code>aws configure</code> settings.</p> <h2> Part 3: Containerizing Your Application </h2> <p>Now that your environment is set up, let's containerize the application. This is where the magic happens.</p> <h3> Understanding Dockerfiles </h3> <p>A Dockerfile is like a recipe. It tells Docker:</p> <ol> <li>What base image to start with (like choosing an operating system)</li> <li>What files to copy</li> <li>What commands to run</li> <li>What port to expose</li> <li>What command to run when the container starts</li> </ol> <h3> Creating Dockerfiles for All Services </h3> <p>Now, you might be wondering: "How do I know what Dockerfile to create for each service?" Great question! Let me show you the pattern.</p> <p><strong>The rule of thumb:</strong> Each service folder needs its own Dockerfile. Look at your project structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>DevOps-deployment/ ├── frontend/ → Needs Dockerfile (Vue.js) ├── auth-api/ → Needs Dockerfile (Go) ├── todos-api/ → Needs Dockerfile (Node.js) ├── users-api/ → Needs Dockerfile (Java) └── log-message-processor/ → Needs Dockerfile (Python) </code></pre> </div> <p><strong>How to figure out what each service needs:</strong></p> <ol> <li>Check what language/framework it uses (look for <code>package.json</code>, <code>pom.xml</code>, <code>requirements.txt</code>, <code>go.mod</code>)</li> <li>Find the entry point (usually <code>server.js</code>, <code>main.go</code>, <code>main.py</code>, or a compiled JAR)</li> <li>Determine the port it runs on (check the code or config files)</li> <li>Follow the pattern for that language</li> </ol> <h4> Frontend Dockerfile (Vue.js) </h4> <p><strong>First, check the service:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>frontend <span class="nb">ls</span> <span class="nt">-la</span> <span class="c"># You'll see: package.json, src/, public/</span> <span class="c"># This tells you: It's a Vue.js app that needs to be built</span> </code></pre> </div> <p><strong>Vue.js apps are special</strong> - they compile to static HTML/CSS/JS files that need a web server. We use a "multi-stage build":</p> <ol> <li> <strong>Build stage</strong>: Use Node.js to compile the Vue app</li> <li> <strong>Runtime stage</strong>: Use nginx (lightweight web server) to serve the compiled files </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Step 1: Build the application</span> <span class="k">FROM</span><span class="w"> </span><span class="s">node:18-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">build</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="k">RUN </span>npm <span class="nb">install</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="k">RUN </span>npm run build <span class="c"># Step 2: Serve it with nginx</span> <span class="k">FROM</span><span class="s"> nginx:alpine</span> <span class="k">COPY</span><span class="s"> --from=build /app/dist /usr/share/nginx/html</span> <span class="k">COPY</span><span class="s"> nginx.conf /etc/nginx/conf.d/default.conf</span> <span class="k">EXPOSE</span><span class="s"> 80</span> </code></pre> </div> <p><strong>Breaking it down:</strong></p> <ul> <li> <code>FROM node:18-alpine AS build</code> - Start with Node.js for building (the <code>AS build</code> names this stage)</li> <li> <code>COPY package*.json ./</code> - Copy dependency files first (Docker caching optimization!)</li> <li> <code>RUN npm install</code> - Install dependencies</li> <li> <code>RUN npm run build</code> - Compile Vue.js to static files (creates <code>dist/</code> folder)</li> <li> <code>FROM nginx:alpine</code> - Start a NEW stage with nginx (much smaller image)</li> <li> <code>COPY --from=build</code> - Copy the built files from the build stage</li> <li> <code>EXPOSE 80</code> - nginx serves on port 80</li> </ul> <p><strong>Why two stages?</strong> The build stage has Node.js + all build tools (~500MB). The runtime stage only has nginx + static files (~20MB). This makes the final image 25x smaller!</p> <h4> Auth API Dockerfile (Go) </h4> <p><strong>Check the service:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>auth-api <span class="nb">ls</span> <span class="nt">-la</span> <span class="c"># You'll see: go.mod, main.go</span> <span class="c"># This tells you: It's Go, entry point is main.go</span> </code></pre> </div> <p><strong>Go is special</strong> - it compiles to a single binary file. No runtime needed! We also use multi-stage build:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Build stage</span> <span class="k">FROM</span><span class="w"> </span><span class="s">golang:1.21-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">build</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> go.mod go.sum ./</span> <span class="k">RUN </span>go mod download <span class="k">COPY</span><span class="s"> . .</span> <span class="k">RUN </span><span class="nv">CGO_ENABLED</span><span class="o">=</span>0 <span class="nv">GOOS</span><span class="o">=</span>linux go build <span class="nt">-o</span> auth-api <span class="c"># Runtime stage</span> <span class="k">FROM</span><span class="s"> alpine:latest</span> <span class="k">RUN </span>apk <span class="nt">--no-cache</span> add ca-certificates <span class="k">COPY</span><span class="s"> --from=build /app/auth-api /auth-api</span> <span class="k">EXPOSE</span><span class="s"> 8081</span> <span class="k">CMD</span><span class="s"> ["/auth-api"]</span> </code></pre> </div> <p><strong>Breaking it down:</strong></p> <ul> <li> <code>FROM golang:1.21-alpine AS build</code> - Go compiler for building</li> <li> <code>RUN go mod download</code> - Download Go dependencies</li> <li> <code>RUN go build -o auth-api</code> - Compile to a single binary file</li> <li> <code>FROM alpine:latest</code> - Tiny Linux (only 5MB!)</li> <li> <code>COPY --from=build /app/auth-api</code> - Copy the compiled binary</li> <li> <code>CMD ["/auth-api"]</code> - Run the binary</li> </ul> <p><strong>Key differences from Vue.js:</strong></p> <ul> <li>Go compiles to a single binary (no runtime needed!)</li> <li>Final image is super small (~10MB vs ~500MB for Node.js)</li> <li> <code>CGO_ENABLED=0</code> creates a static binary (no external dependencies)</li> </ul> <h4> Todos API Dockerfile (Node.js) </h4> <p><strong>Check the service:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>todos-api <span class="nb">ls</span> <span class="nt">-la</span> <span class="c"># You'll see: package.json, server.js, routes.js</span> <span class="c"># This tells you: It's Node.js, entry point is server.js</span> </code></pre> </div> <p><strong>Check package.json for the start command:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"start"</span><span class="p">:</span><span class="w"> </span><span class="s2">"node server.js"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Node.js API Dockerfile</strong> (simpler than Vue.js - no build step needed):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> node:18-alpine</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy dependency files first (Docker caching optimization)</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="c"># Install dependencies (production only for smaller image)</span> <span class="k">RUN </span>npm ci <span class="nt">--only</span><span class="o">=</span>production <span class="c"># Copy application code</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="c"># Expose the port (check server.js to see which port)</span> <span class="k">EXPOSE</span><span class="s"> 8082</span> <span class="c"># Start the application</span> <span class="k">CMD</span><span class="s"> ["node", "server.js"]</span> </code></pre> </div> <p><strong>Why this pattern?</strong></p> <ul> <li> <code>npm ci --only=production</code> - Faster, more reliable than <code>npm install</code>, and skips dev dependencies</li> <li>Copy <code>package*.json</code> first - If dependencies don't change, Docker reuses the cached layer</li> <li> <code>node:18-alpine</code> - Lightweight Node.js image</li> </ul> <p><strong>How to test it:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Build the image</span> docker build <span class="nt">-t</span> todos-api ./todos-api <span class="c"># Run it</span> docker run <span class="nt">-p</span> 8082:8082 todos-api <span class="c"># Test it</span> curl http://localhost:8082 </code></pre> </div> <h4> Users API Dockerfile (Java Spring Boot) </h4> <p><strong>Check the service:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>users-api <span class="nb">ls</span> <span class="nt">-la</span> <span class="c"># You'll see: pom.xml, src/</span> <span class="c"># This tells you: It's Java with Maven, needs to be compiled</span> </code></pre> </div> <p><strong>Java services need two stages:</strong></p> <ol> <li>Build stage - Compile the code</li> <li>Runtime stage - Run the compiled JAR </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Stage 1: Build</span> <span class="k">FROM</span><span class="w"> </span><span class="s">maven:3.9-eclipse-temurin-17</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">build</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy Maven config first (caching optimization)</span> <span class="k">COPY</span><span class="s"> pom.xml .</span> <span class="c"># Download dependencies (cached if pom.xml doesn't change)</span> <span class="k">RUN </span>mvn dependency:go-offline <span class="c"># Copy source code</span> <span class="k">COPY</span><span class="s"> src ./src</span> <span class="c"># Build the application</span> <span class="k">RUN </span>mvn clean package <span class="nt">-DskipTests</span> <span class="c"># Stage 2: Runtime</span> <span class="k">FROM</span><span class="s"> eclipse-temurin:17-jre-alpine</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Install JAXB dependencies (needed for Java 17+)</span> <span class="k">RUN </span>apk add <span class="nt">--no-cache</span> wget <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">mkdir</span> <span class="nt">-p</span> /app/lib <span class="o">&amp;&amp;</span> <span class="se">\ </span> wget <span class="nt">-q</span> <span class="nt">-O</span> /app/lib/jaxb-api.jar https://repo1.maven.org/maven2/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar <span class="o">&amp;&amp;</span> <span class="se">\ </span> wget <span class="nt">-q</span> <span class="nt">-O</span> /app/lib/jaxb-runtime.jar https://repo1.maven.org/maven2/org/glassfish/jaxb/jaxb-runtime/2.3.1/jaxb-runtime-2.3.1.jar <span class="o">&amp;&amp;</span> <span class="se">\ </span> apk del wget <span class="c"># Copy the built JAR from build stage</span> <span class="k">COPY</span><span class="s"> --from=build /app/target/*.jar app.jar</span> <span class="k">EXPOSE</span><span class="s"> 8083</span> <span class="c"># Run the Spring Boot application</span> <span class="k">ENTRYPOINT</span><span class="s"> ["java", \</span> "--add-opens", "java.base/java.lang=ALL-UNNAMED", \ "--add-opens", "java.base/java.lang.reflect=ALL-UNNAMED", \ "--add-opens", "java.base/java.util=ALL-UNNAMED", \ "-cp", "app.jar:/app/lib/*", \ "org.springframework.boot.loader.JarLauncher"] </code></pre> </div> <p><strong>Why this is complex:</strong></p> <ul> <li>Java needs compilation (Maven does this)</li> <li>Spring Boot creates a "fat JAR" (includes everything)</li> <li>Java 17+ removed some libraries (JAXB), so we add them back</li> <li>The <code>--add-opens</code> flags are needed for Java 17+ module system</li> </ul> <p><strong>Don't worry if this looks complicated</strong> - Java Dockerfiles are the most complex. The pattern is always:</p> <ol> <li>Build stage: Install dependencies, compile</li> <li>Runtime stage: Copy compiled artifact, run it</li> </ol> <h4> Log Message Processor Dockerfile (Python) </h4> <p><strong>Check the service:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>log-message-processor <span class="nb">ls</span> <span class="nt">-la</span> <span class="c"># You'll see: requirements.txt, main.py</span> <span class="c"># This tells you: It's Python, entry point is main.py</span> </code></pre> </div> <p><strong>Python Dockerfile:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> python:3.11-slim</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Install build dependencies (needed to compile some Python packages)</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nt">--no-install-recommends</span> <span class="se">\ </span> gcc <span class="se">\ </span> g++ <span class="se">\ </span> python3-dev <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="c"># Copy and install Python dependencies</span> <span class="k">COPY</span><span class="s"> requirements.txt .</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">--no-cache-dir</span> <span class="nt">-r</span> requirements.txt <span class="c"># Remove build dependencies (they're not needed at runtime)</span> <span class="k">RUN </span>apt-get purge <span class="nt">-y</span> gcc g++ python3-dev <span class="o">&amp;&amp;</span> <span class="se">\ </span> apt-get autoremove <span class="nt">-y</span> <span class="o">&amp;&amp;</span> <span class="se">\ </span> apt-get clean <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="c"># Copy application code</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="c"># Run the application</span> <span class="k">CMD</span><span class="s"> ["python", "main.py"]</span> </code></pre> </div> <p><strong>Why install then remove build dependencies?</strong></p> <ul> <li>Some Python packages need to compile C extensions</li> <li>We install <code>gcc</code>, <code>g++</code> to compile them</li> <li>After installation, we remove them (saves ~200MB!)</li> <li>The compiled packages still work without the compilers</li> </ul> <p><strong>Simpler alternative (if no C extensions needed):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> python:3.11-slim</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> requirements.txt .</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">--no-cache-dir</span> <span class="nt">-r</span> requirements.txt <span class="k">COPY</span><span class="s"> . .</span> <span class="k">CMD</span><span class="s"> ["python", "main.py"]</span> </code></pre> </div> <h3> The Pattern: How to Create Any Dockerfile </h3> <p>Here's the mental model:</p> <ol> <li> <p><strong>Identify the language</strong> → Check for language-specific files</p> <ul> <li> <code>package.json</code> → Node.js</li> <li> <code>pom.xml</code> or <code>build.gradle</code> → Java</li> <li> <code>requirements.txt</code> → Python</li> <li> <code>go.mod</code> → Go</li> <li> <code>Cargo.toml</code> → Rust</li> </ul> </li> <li> <p><strong>Find the base image</strong> → Use official images</p> <ul> <li>Node.js → <code>node:18-alpine</code> </li> <li>Java → <code>eclipse-temurin:17-jre-alpine</code> (runtime) or <code>maven:3.9-eclipse-temurin-17</code> (build)</li> <li>Python → <code>python:3.11-slim</code> </li> <li>Go → <code>golang:1.21-alpine</code> (build) or <code>alpine:latest</code> (runtime)</li> </ul> </li> <li> <p><strong>Copy dependencies first</strong> → Docker caching optimization</p> <ul> <li>Copy <code>package.json</code> / <code>pom.xml</code> / <code>requirements.txt</code> / <code>go.mod</code> </li> <li>Install dependencies</li> <li>Then copy application code</li> </ul> </li> <li><p><strong>Expose the port</strong> → Check the code for which port it uses</p></li> <li><p><strong>Set the command</strong> → How to start the application</p></li> </ol> <h3> Testing Each Dockerfile </h3> <p>Before adding to docker-compose, test each one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test Frontend</span> <span class="nb">cd </span>frontend docker build <span class="nt">-t</span> frontend-test <span class="nb">.</span> docker run <span class="nt">-p</span> 8080:80 frontend-test curl http://localhost:8080 <span class="c"># Test Auth API</span> <span class="nb">cd</span> ../auth-api docker build <span class="nt">-t</span> auth-api-test <span class="nb">.</span> docker run <span class="nt">-p</span> 8081:8081 auth-api-test curl http://localhost:8081/health <span class="c"># Test Todos API</span> <span class="nb">cd</span> ../todos-api docker build <span class="nt">-t</span> todos-api-test <span class="nb">.</span> docker run <span class="nt">-p</span> 8082:8082 todos-api-test curl http://localhost:8082 <span class="c"># Test Users API</span> <span class="nb">cd</span> ../users-api docker build <span class="nt">-t</span> users-api-test <span class="nb">.</span> docker run <span class="nt">-p</span> 8083:8083 users-api-test curl http://localhost:8083/health <span class="c"># Test Log Processor</span> <span class="nb">cd</span> ../log-message-processor docker build <span class="nt">-t</span> log-processor-test <span class="nb">.</span> docker run log-processor-test <span class="c"># (This might not have HTTP endpoint, check logs)</span> </code></pre> </div> <p><strong>Common issues and fixes:</strong></p> <ol> <li> <p><strong>"Module not found" or "Package not found"</strong></p> <ul> <li>Make sure you copied dependency files before installing</li> <li>Check that <code>requirements.txt</code> / <code>package.json</code> is in the right place</li> </ul> </li> <li> <p><strong>"Port already in use"</strong></p> <ul> <li>Another container is using that port</li> <li>Use <code>docker ps</code> to see what's running</li> <li>Stop it with <code>docker stop &lt;container-id&gt;</code> </li> </ul> </li> <li> <p><strong>"Cannot connect to database" or "Connection refused"</strong></p> <ul> <li>Services need to be in the same Docker network</li> <li>Use service names (e.g., <code>redis</code>) not <code>localhost</code> </li> <li>Wait for dependencies to be ready (use <code>depends_on</code> in docker-compose)</li> </ul> </li> <li> <p><strong>Image too large</strong></p> <ul> <li>Use multi-stage builds (build in one stage, copy artifacts to smaller runtime stage)</li> <li>Use <code>alpine</code> or <code>slim</code> base images</li> <li>Remove build dependencies after installation</li> </ul> </li> </ol> <h3> Creating docker-compose.yml </h3> <p>Now we need to orchestrate all these containers. That's where Docker Compose comes in.</p> <p><strong>Think of docker-compose.yml as a conductor's score</strong> - it tells all the musicians (containers) when to play, how to play together, and in what order.</p> <p>Let's build it piece by piece:</p> <h4> Step 1: The Reverse Proxy (Traefik) </h4> <p>Traefik is like a smart receptionist at a hotel:</p> <ul> <li>It receives all incoming requests (guests)</li> <li>It looks at the URL and decides which service should handle it (which room)</li> <li>It automatically gets SSL certificates from Let's Encrypt (security badges)</li> <li>It handles HTTPS redirects (escorts HTTP guests to HTTPS) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="c1"># Reverse Proxy - Routes traffic to the right service</span> <span class="na">traefik</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">traefik:latest</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">traefik</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--api.insecure=true"</span> <span class="c1"># Enable dashboard (for debugging)</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--providers.docker=true"</span> <span class="c1"># Watch Docker containers</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--providers.docker.exposedbydefault=false"</span> <span class="c1"># Only expose containers with labels</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--entrypoints.web.address=:80"</span> <span class="c1"># HTTP entry point</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--entrypoints.websecure.address=:443"</span> <span class="c1"># HTTPS entry point</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--certificatesresolvers.letsencrypt.acme.httpchallenge=true"</span> <span class="c1"># Use HTTP challenge</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"</span> <span class="c1"># Challenge on port 80</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--certificatesresolvers.letsencrypt.acme.email=${LETSENCRYPT_EMAIL:-your-email@example.com}"</span> <span class="c1"># Email for cert</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"</span> <span class="c1"># Where to store certs</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">80:80"</span> <span class="c1"># HTTP</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">443:443"</span> <span class="c1"># HTTPS</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8080:8080"</span> <span class="c1"># Traefik dashboard (for debugging)</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/var/run/docker.sock:/var/run/docker.sock:ro</span> <span class="c1"># Let Traefik see other containers</span> <span class="pi">-</span> <span class="s">./letsencrypt:/letsencrypt</span> <span class="c1"># Store SSL certificates</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">app-network</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># Auto-restart if it crashes</span> </code></pre> </div> <p><strong>Key concepts:</strong></p> <ul> <li> <code>ports: "80:80"</code> means "map host port 80 to container port 80"</li> <li> <code>volumes: /var/run/docker.sock</code> lets Traefik discover other containers automatically</li> <li> <code>networks: app-network</code> puts Traefik on the same network as other services</li> </ul> <h4> Step 2: The Frontend Service </h4> <p>The Vue.js frontend needs to be built and served:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1"># Frontend - Vue.js application</span> <span class="na">frontend</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">./frontend</span> <span class="c1"># Where the Dockerfile is</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">Dockerfile</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">frontend</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">PORT=80</span> <span class="c1"># Port the app runs on inside container</span> <span class="pi">-</span> <span class="s">AUTH_API_ADDRESS=http://auth-api:8081</span> <span class="c1"># Use service name, not localhost!</span> <span class="pi">-</span> <span class="s">TODOS_API_ADDRESS=http://todos-api:8082</span> <span class="na">labels</span><span class="pi">:</span> <span class="c1"># Tell Traefik to route traffic to this service</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.enable=true"</span> <span class="c1"># Route requests for your domain to this service</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.frontend.rule=Host(`${DOMAIN:-yourdomain.com}`)"</span> <span class="c1"># Use HTTPS</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.frontend.entrypoints=websecure"</span> <span class="c1"># Get SSL certificate automatically</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.frontend.tls.certresolver=letsencrypt"</span> <span class="c1"># Frontend runs on port 80 inside container</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.frontend.loadbalancer.server.port=80"</span> <span class="c1"># Redirect HTTP to HTTPS</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.frontend-redirect.rule=Host(`${DOMAIN:-yourdomain.com}`)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.frontend-redirect.entrypoints=web"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.frontend-redirect.middlewares=redirect-to-https"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">app-network</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">auth-api</span> <span class="pi">-</span> <span class="s">todos-api</span> <span class="pi">-</span> <span class="s">users-api</span> </code></pre> </div> <p><strong>Important points:</strong></p> <ul> <li> <code>build: context: ./frontend</code> tells Docker to build from the frontend folder</li> <li> <code>environment:</code> sets variables the app can read</li> <li> <code>AUTH_API_ADDRESS=http://auth-api:8081</code> - Notice we use <code>auth-api</code> (the service name), not <code>localhost</code>!</li> <li> <code>depends_on:</code> ensures these services start before frontend</li> <li>Labels tell Traefik how to route traffic</li> </ul> <h4> Step 3: The Auth API (Go) </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1"># Auth API - Handles authentication</span> <span class="na">auth-api</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">./auth-api</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">Dockerfile</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">auth-api</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">AUTH_API_PORT=8081</span> <span class="pi">-</span> <span class="s">USERS_API_ADDRESS=http://users-api:8083</span> <span class="pi">-</span> <span class="s">JWT_SECRET=${JWT_SECRET:-myfancysecret}</span> <span class="c1"># Secret key for tokens</span> <span class="pi">-</span> <span class="s">REDIS_URL=redis://redis:6379</span> <span class="c1"># Redis connection</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.enable=true"</span> <span class="c1"># Route /api/auth requests to this service</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.auth.rule=Host(`${DOMAIN:-yourdomain.com}`)</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">PathPrefix(`/api/auth`)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.auth.entrypoints=websecure"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.auth.tls.certresolver=letsencrypt"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.auth.loadbalancer.server.port=8081"</span> <span class="c1"># Also handle /login route (frontend calls this)</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.auth-login.rule=Host(`${DOMAIN:-yourdomian.com}`)</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">(Path(`/login`)</span><span class="nv"> </span><span class="s">||</span><span class="nv"> </span><span class="s">PathPrefix(`/login/`))"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.auth-login.entrypoints=websecure"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.auth-login.tls.certresolver=letsencrypt"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.auth-login.service=auth"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">app-network</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">redis</span> <span class="c1"># Needs Redis for session storage</span> </code></pre> </div> <p><strong>Routing explained:</strong></p> <ul> <li> <code>PathPrefix(/api/auth)</code> means any URL starting with <code>/api/auth</code> goes here</li> <li>Example: <code>https://your-domain.com/api/auth/login</code> → auth-api</li> <li> <code>Path(/login)</code> means exactly <code>/login</code> goes here</li> </ul> <h4> Step 4: The Todos API (Node.js) </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1"># Todos API - Manages todo items</span> <span class="na">todos-api</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">./todos-api</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">Dockerfile</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">todos-api</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">PORT=8082</span> <span class="pi">-</span> <span class="s">AUTH_API_URL=http://auth-api:8081</span> <span class="c1"># To validate tokens</span> <span class="pi">-</span> <span class="s">JWT_SECRET=${JWT_SECRET:-myfancysecret}</span> <span class="pi">-</span> <span class="s">REDIS_URL=redis://redis:6379</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.enable=true"</span> <span class="c1"># Route /api/todos requests here</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.todos.rule=Host(`${DOMAIN:-yourdomain.com}`)</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">PathPrefix(`/api/todos`)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.todos.entrypoints=websecure"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.todos.tls.certresolver=letsencrypt"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.todos.loadbalancer.server.port=8082"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">app-network</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">redis</span> <span class="pi">-</span> <span class="s">auth-api</span> <span class="c1"># Needs auth-api to validate tokens</span> </code></pre> </div> <h4> Step 5: The Users API (Java) </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1"># Users API - Manages user accounts</span> <span class="na">users-api</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">./users-api</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">Dockerfile</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">users-api</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">SERVER_PORT=8083</span> <span class="pi">-</span> <span class="s">JWT_SECRET=${JWT_SECRET:-myfancysecret}</span> <span class="pi">-</span> <span class="s">REDIS_URL=redis://redis:6379</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.enable=true"</span> <span class="c1"># Route /api/users requests here</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.users.rule=Host(`${DOMAIN:-yourdomian.com}`)</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">PathPrefix(`/api/users`)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.users.entrypoints=websecure"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.users.tls.certresolver=letsencrypt"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.users.loadbalancer.server.port=8083"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">app-network</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">redis</span> </code></pre> </div> <h4> Step 6: The Log Processor (Python) </h4> <p>This service doesn't need Traefik routing - it's a background worker:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1"># Log Processor - Background worker that processes messages</span> <span class="na">log-message-processor</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">./log-message-processor</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">Dockerfile</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">log-message-processor</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">REDIS_HOST=redis</span> <span class="c1"># Use service name</span> <span class="pi">-</span> <span class="s">REDIS_PORT=6379</span> <span class="pi">-</span> <span class="s">REDIS_CHANNEL=log-messages</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">app-network</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">redis</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># Keep it running</span> </code></pre> </div> <p><strong>Why no Traefik labels?</strong> This service doesn't serve HTTP requests - it just listens to Redis for messages.</p> <h4> Step 7: Supporting Services </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1"># Redis - Message queue and cache</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">redis:7-alpine</span> <span class="c1"># Use pre-built image, no Dockerfile needed</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">6379:6379"</span> <span class="c1"># Expose for debugging (optional)</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">redis-data:/data</span> <span class="c1"># Persist data</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">app-network</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># Zipkin handler - Service for /zipkin endpoint</span> <span class="na">zipkin-handler</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">zipkin-handler</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.enable=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.zipkin.rule=Host(`${DOMAIN:-yourdomain.com}`)</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">PathPrefix(`/zipkin`)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.zipkin.entrypoints=websecure"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.zipkin.tls.certresolver=letsencrypt"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.zipkin.loadbalancer.server.port=80"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">app-network</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">sh -c "echo 'server {</span> <span class="s">listen 80;</span> <span class="s">location / {</span> <span class="s">return 200 \"OK\";</span> <span class="s">add_header Content-Type text/plain;</span> <span class="s">}</span> <span class="s">}' &gt; /etc/nginx/conf.d/default.conf &amp;&amp; nginx -g 'daemon off;'"</span> </code></pre> </div> <h4> Step 8: Networks and Volumes </h4> <p>At the end of the file, define shared resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Networks - How containers communicate</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">app-network</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s">bridge</span> <span class="c1"># Default network type</span> <span class="c1"># Volumes - Persistent storage</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">redis-data</span><span class="pi">:</span> <span class="c1"># Named volume for Redis data</span> </code></pre> </div> <p><strong>Why networks?</strong> Containers on the same network can talk to each other using service names (like <code>auth-api</code> instead of IP addresses).</p> <p><strong>Why volumes?</strong> Data in containers is lost when they're removed. Volumes persist data.</p> <h3> Complete docker-compose.yml Structure </h3> <p>Here's the mental model:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker-compose.yml ├── services (all your containers) │ ├── traefik (reverse proxy) │ ├── frontend (Vue.js app) │ ├── auth-api (Go service) │ ├── todos-api (Node.js service) │ ├── users-api (Java service) │ ├── log-message-processor (Python worker) │ ├── redis (database/queue) │ └── zipkin-handler (dummy endpoint) ├── networks (how they connect) │ └── app-network └── volumes (persistent storage) └── redis-data </code></pre> </div> <h3> Understanding Traefik Labels (Deep Dive) </h3> <p>Labels are how you tell Traefik what to do. Let's break down a complex example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.enable=true"</span> <span class="c1"># Step 1: Enable Traefik for this service</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.auth.rule=Host(`example.com`)</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">PathPrefix(`/api/auth`)"</span> <span class="c1"># Step 2: Define routing rule</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.auth.entrypoints=websecure"</span> <span class="c1"># Step 3: Use HTTPS</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.auth.tls.certresolver=letsencrypt"</span> <span class="c1"># Step 4: Get SSL cert</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.auth.loadbalancer.server.port=8081"</span> <span class="c1"># Step 5: Which port to forward to</span> </code></pre> </div> <p><strong>Breaking it down:</strong></p> <ol> <li> <strong>Router</strong> = A set of rules for routing traffic</li> <li> <strong>Rule</strong> = Conditions that must match (domain + path)</li> <li> <strong>Entrypoint</strong> = Which port/protocol (web = HTTP, websecure = HTTPS)</li> <li> <strong>Service</strong> = The actual container and port</li> <li> <strong>Middleware</strong> = Transformations (redirects, rewrites, etc.)</li> </ol> <p><strong>Example flow:</strong></p> <ol> <li>User visits <code>https://example.com/api/auth/login</code> </li> <li>Traefik receives request on port 443 (websecure entrypoint)</li> <li>Traefik checks rules: "Does this match <code>Host(example.com) &amp;&amp; PathPrefix(/api/auth)</code>?" → Yes!</li> <li>Traefik forwards to <code>auth</code> service on port 8081</li> <li>Auth-api container handles the request</li> </ol> <h3> Testing Your docker-compose.yml </h3> <p>Before deploying to the cloud, test locally:</p> <h4> Step 1: Create Environment File </h4> <p>Create a <code>.env</code> file in the root directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&gt;</span> .env <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> DOMAIN=localhost LETSENCRYPT_EMAIL=your-email@example.com JWT_SECRET=test-secret-key-change-this-in-production </span><span class="no">EOF </span></code></pre> </div> <p><strong>What's in .env?</strong></p> <ul> <li> <code>DOMAIN</code> - Your domain name (use <code>localhost</code> for local testing)</li> <li> <code>LETSENCRYPT_EMAIL</code> - Email for SSL certificate notifications</li> <li> <code>JWT_SECRET</code> - Secret key for JWT tokens (use a strong random string in production)</li> </ul> <h4> Step 2: Start All Services </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Build and start all containers in the background</span> docker compose up <span class="nt">-d</span> <span class="c"># Watch all logs in real-time</span> docker compose logs <span class="nt">-f</span> <span class="c"># Or watch specific service logs</span> docker compose logs <span class="nt">-f</span> frontend docker compose logs <span class="nt">-f</span> auth-api </code></pre> </div> <p><strong>What <code>-d</code> means:</strong> Detached mode - runs in the background so you can use your terminal.</p> <h4> Step 3: Verify Everything is Running </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check status of all containers</span> docker compose ps <span class="c"># You should see something like:</span> <span class="c"># NAME STATUS PORTS</span> <span class="c"># traefik Up 2 minutes 0.0.0.0:80-&gt;80/tcp, 0.0.0.0:443-&gt;443/tcp</span> <span class="c"># frontend Up 2 minutes </span> <span class="c"># auth-api Up 2 minutes </span> <span class="c"># todos-api Up 2 minutes </span> <span class="c"># users-api Up 2 minutes </span> <span class="c"># log-message-processor Up 2 minutes </span> <span class="c"># redis Up 2 minutes 0.0.0.0:6379-&gt;6379/tcp</span> </code></pre> </div> <h4> Step 4: Test Each Service </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test frontend (should return HTML)</span> curl http://localhost <span class="c"># Test auth API (should return "Not Found" - that's expected!)</span> curl http://localhost/api/auth <span class="c"># Test todos API (should return "Invalid Token" - also expected!)</span> curl http://localhost/api/todos <span class="c"># Test users API</span> curl http://localhost/api/users <span class="c"># Check Traefik dashboard (optional)</span> <span class="c"># Open http://localhost:8080 in your browser</span> </code></pre> </div> <p><strong>Expected responses:</strong></p> <ul> <li>Frontend: HTML page (login screen)</li> <li> <code>/api/auth</code> without path: "Not Found" (correct - needs specific endpoint)</li> <li> <code>/api/todos</code> without auth: "Invalid Token" (correct - needs authentication)</li> <li> <code>/api/users</code> without auth: "Missing or invalid Authorization header" (correct)</li> </ul> <h4> Step 5: Test with Browser </h4> <ol> <li>Open <code>http://localhost</code> in your browser</li> <li>You should see the login page</li> <li>Try logging in (if you have test credentials)</li> <li>Check browser console (F12) for any errors</li> </ol> <h4> Step 6: Check Logs for Errors </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># View logs for a specific service</span> docker compose logs frontend docker compose logs auth-api docker compose logs traefik <span class="c"># View last 100 lines</span> docker compose logs <span class="nt">--tail</span><span class="o">=</span>100 traefik <span class="c"># Follow logs in real-time</span> docker compose logs <span class="nt">-f</span> traefik </code></pre> </div> <p><strong>What to look for:</strong></p> <ul> <li>✅ "Server started" or "Listening on port X" = Good!</li> <li>❌ "Connection refused" = Service dependency not ready</li> <li>❌ "Module not found" = Missing dependency in Dockerfile</li> <li>❌ "Port already in use" = Another service is using that port</li> </ul> <h4> Step 7: Stop Everything </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Stop all containers</span> docker compose down <span class="c"># Stop and remove volumes (clean slate)</span> docker compose down <span class="nt">-v</span> <span class="c"># Stop and remove images too (full cleanup)</span> docker compose down <span class="nt">--rmi</span> all <span class="nt">-v</span> </code></pre> </div> <h3> Common Issues and Solutions </h3> <h4> Issue 1: "Port 80 already in use" </h4> <p><strong>Problem:</strong> Another service (like Apache, Nginx, or another Docker container) is using port 80.</p> <p><strong>Solution:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Find what's using port 80</span> <span class="nb">sudo </span>lsof <span class="nt">-i</span> :80 <span class="c"># or</span> <span class="nb">sudo </span>netstat <span class="nt">-tulpn</span> | <span class="nb">grep</span> :80 <span class="c"># Stop the conflicting service</span> <span class="nb">sudo </span>systemctl stop apache2 <span class="c"># or nginx, or whatever it is</span> <span class="c"># Or change Traefik ports in docker-compose.yml:</span> ports: - <span class="s2">"8080:80"</span> <span class="c"># Use 8080 instead of 80</span> - <span class="s2">"8443:443"</span> <span class="c"># Use 8443 instead of 443</span> </code></pre> </div> <h4> Issue 2: "Build failed" or "Module not found" </h4> <p><strong>Problem:</strong> Dockerfile has issues or dependencies are missing.</p> <p><strong>Solution:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Build a specific service to see detailed errors</span> docker compose build frontend <span class="c"># Check the Dockerfile syntax</span> <span class="c"># Make sure COPY commands are in the right order</span> <span class="c"># Make sure RUN commands install dependencies before copying code</span> </code></pre> </div> <h4> Issue 3: "Container keeps restarting" </h4> <p><strong>Problem:</strong> The application is crashing on startup.</p> <p><strong>Solution:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check why it's restarting</span> docker compose logs &lt;service-name&gt; <span class="c"># Common causes:</span> <span class="c"># - Missing environment variables</span> <span class="c"># - Database/Redis not ready (add depends_on)</span> <span class="c"># - Port conflict</span> <span class="c"># - Missing files or dependencies</span> </code></pre> </div> <h4> Issue 4: "Cannot connect to auth-api" or "Connection refused" </h4> <p><strong>Problem:</strong> Services can't find each other.</p> <p><strong>Solution:</strong></p> <ul> <li>✅ Use service names (e.g., <code>http://auth-api:8081</code>), not <code>localhost</code> </li> <li>✅ Make sure all services are on the same network (<code>app-network</code>)</li> <li>✅ Check <code>depends_on</code> - services might be starting before dependencies are ready</li> <li>✅ Add health checks or wait scripts if needed</li> </ul> <h4> Issue 5: "SSL certificate error" or "Let's Encrypt failed" </h4> <p><strong>Problem:</strong> Let's Encrypt can't verify your domain.</p> <p><strong>Solution:</strong></p> <ul> <li>For local testing: Use <code>localhost</code> and HTTP only (remove HTTPS redirect)</li> <li>For production: Make sure DNS points to your server</li> <li>Make sure ports 80 and 443 are open in firewall</li> <li>Check Traefik logs: <code>docker compose logs traefik</code> </li> </ul> <h3> Quick Reference: docker-compose Commands </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Start services</span> docker compose up <span class="c"># Start and show logs</span> docker compose up <span class="nt">-d</span> <span class="c"># Start in background</span> <span class="c"># Stop services</span> docker compose stop <span class="c"># Stop but don't remove</span> docker compose down <span class="c"># Stop and remove containers</span> <span class="c"># View logs</span> docker compose logs <span class="c"># All services</span> docker compose logs <span class="nt">-f</span> <span class="c"># Follow (live updates)</span> docker compose logs &lt;service&gt; <span class="c"># Specific service</span> <span class="c"># Rebuild</span> docker compose build <span class="c"># Build all</span> docker compose build &lt;service&gt; <span class="c"># Build specific service</span> docker compose up <span class="nt">--build</span> <span class="c"># Build and start</span> <span class="c"># Status</span> docker compose ps <span class="c"># Show running containers</span> docker compose top <span class="c"># Show running processes</span> <span class="c"># Execute commands</span> docker compose <span class="nb">exec</span> &lt;service&gt; &lt;<span class="nb">command</span><span class="o">&gt;</span> <span class="c"># Run command in container</span> docker compose <span class="nb">exec </span>frontend sh <span class="c"># Get shell in frontend container</span> </code></pre> </div> <h2> Part 4: Infrastructure as Code with Terraform </h2> <p>Now comes the infrastructure part. This is where many people get intimidated, but it's actually simpler than it seems.</p> <h3> Why Infrastructure as Code? </h3> <p>Imagine you're building a house. You could:</p> <ol> <li> <strong>Manual approach</strong>: Tell the builder "put a window here, a door there" every time</li> <li> <strong>Blueprint approach</strong>: Draw a blueprint once, builder follows it every time</li> </ol> <p>Infrastructure as Code is the blueprint approach. Benefits:</p> <ul> <li> <strong>Reproducible</strong>: Same code = same infrastructure, every time</li> <li> <strong>Version controlled</strong>: See what changed and when</li> <li> <strong>Testable</strong>: Try changes without breaking production</li> <li> <strong>Documented</strong>: The code IS the documentation</li> </ul> <h3> Understanding Terraform Basics </h3> <p>Terraform uses a language called HCL (HashiCorp Configuration Language). It's designed to be human-readable.</p> <p><strong>Basic structure:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"todo_app"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="s2">"ami-12345"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t3.medium"</span> <span class="p">}</span> </code></pre> </div> <p>This says: "Create an AWS EC2 instance resource, call it 'todo_app', with these properties."</p> <h3> Creating Your First Terraform Configuration </h3> <p>Let's build it step by step:</p> <h4> Step 1: Provider Configuration </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.5.0"</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="c1"># We'll configure this during init</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_region</span> <span class="p">}</span> </code></pre> </div> <p><strong>What's happening:</strong></p> <ul> <li> <code>required_version</code> - Ensures everyone uses compatible Terraform</li> <li> <code>required_providers</code> - Tells Terraform which plugins to download</li> <li> <code>backend "s3"</code> - Where to store state (we'll configure this later)</li> <li> <code>provider "aws"</code> - Which cloud provider to use</li> </ul> <h4> Step 2: Data Sources (Getting Information) </h4> <p>Before creating resources, we often need to look things up:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"aws_ami"</span> <span class="s2">"ubuntu"</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">owners</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"099720109477"</span><span class="p">]</span> <span class="c1"># Canonical (Ubuntu's publisher)</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"name"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*ubuntu-jammy-22.04-amd64-server*"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>What is an AMI?</strong> Amazon Machine Image - it's like a template for a virtual machine. This code finds the latest Ubuntu 22.04 image.</p> <p><strong>Why use data sources?</strong> AMI IDs change in different regions. Instead of hardcoding <code>ami-12345</code>, we let Terraform find the right one.</p> <h4> Step 3: Security Group (Firewall Rules) </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"todo_app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"todo-app-sg-${var.environment}"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Security group for TODO application"</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="c1"># Allow from anywhere</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"HTTPS"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"SSH"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">ssh_cidr</span><span class="p">]</span> <span class="c1"># Only from your IP (security!)</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="c1"># All protocols</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="c1"># Allow all outbound</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"todo-app-sg-${var.environment}"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>What is a security group?</strong> It's AWS's firewall. It controls what traffic can reach your server.</p> <p><strong>Breaking it down:</strong></p> <ul> <li> <code>ingress</code> - Incoming traffic rules</li> <li> <code>egress</code> - Outgoing traffic rules</li> <li> <code>cidr_blocks = ["0.0.0.0/0"]</code> - From anywhere (0.0.0.0/0 means "everywhere")</li> <li> <code>var.ssh_cidr</code> - A variable (we'll set this to your IP for security)</li> </ul> <p><strong>Security tip</strong>: In production, restrict SSH to your IP only! Use a service like <code>whatismyip.com</code> to find your IP, then set <code>ssh_cidr = "YOUR_IP/32"</code>.</p> <h4> Step 4: EC2 Instance (Your Server) </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"todo_app"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_ami</span><span class="p">.</span><span class="nx">ubuntu</span><span class="p">.</span><span class="nx">id</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">key_pair_name</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">todo_app</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> #!/bin/bash apt-get update apt-get install -y python3 python3-pip </span><span class="no"> EOF </span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"todo-app-server-${var.environment}"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"hngi13-stage6"</span> <span class="p">}</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>What's happening:</strong></p> <ul> <li> <code>ami</code> - Which OS image to use (from our data source)</li> <li> <code>instance_type</code> - Server size (t3.medium = 2 vCPU, 4GB RAM)</li> <li> <code>key_name</code> - Which SSH key to install</li> <li> <code>vpc_security_group_ids</code> - Which firewall rules to apply</li> <li> <code>user_data</code> - Script that runs when server starts (bootstrap script)</li> <li> <code>lifecycle</code> - Terraform behavior (create new before destroying old = zero downtime)</li> </ul> <h4> Step 5: Variables (Making It Flexible) </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"aws_region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"AWS region"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"EC2 instance type"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"t3.medium"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"key_pair_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"AWS Key Pair name"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="c1"># Required - no default</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Environment name (dev, stg, prod)"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"dev"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span><span class="s2">"dev"</span><span class="p">,</span> <span class="s2">"stg"</span><span class="p">,</span> <span class="s2">"prod"</span><span class="p">],</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Environment must be one of: dev, stg, prod"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why variables?</strong> Makes your code reusable. Same code works for dev, staging, and production - just change the variables!</p> <h4> Step 6: Outputs (Getting Information Back) </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"server_ip"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Public IP of the server"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">todo_app</span><span class="p">.</span><span class="nx">public_ip</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"ansible_inventory_path"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Path to generated Ansible inventory"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">local_file</span><span class="p">.</span><span class="nx">ansible_inventory</span><span class="p">.</span><span class="nx">filename</span> <span class="p">}</span> </code></pre> </div> <p><strong>What are outputs?</strong> After Terraform creates resources, you often need information about them (like the server IP). Outputs make that information available.</p> <h3> Environment-Specific Configuration </h3> <p>Create separate <code>.tfvars</code> files for each environment. This is crucial - you'll have three files, one for each environment:</p> <p><strong>terraform.dev.tfvars:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">aws_region</span> <span class="err">=</span> <span class="s2">"us-east-1"</span> <span class="nx">instance_type</span> <span class="err">=</span> <span class="s2">"t3.small"</span> <span class="c1"># Smaller for dev (saves money)</span> <span class="nx">key_pair_name</span> <span class="err">=</span> <span class="s2">"my-terraform-key"</span> <span class="nx">ssh_key_path</span> <span class="err">=</span> <span class="s2">"~/.ssh/my-terraform-key.pem"</span> <span class="nx">ssh_cidr</span> <span class="err">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="c1"># Less restrictive for dev</span> <span class="nx">server_user</span> <span class="err">=</span> <span class="s2">"ubuntu"</span> <span class="nx">skip_ansible_provision</span> <span class="err">=</span> <span class="kc">false</span> <span class="c1"># Run Ansible automatically</span> </code></pre> </div> <p><strong>terraform.stg.tfvars:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">environment</span> <span class="err">=</span> <span class="s2">"stg"</span> <span class="nx">aws_region</span> <span class="err">=</span> <span class="s2">"us-east-1"</span> <span class="nx">instance_type</span> <span class="err">=</span> <span class="s2">"t3.small"</span> <span class="c1"># Can be same size as dev for staging</span> <span class="nx">key_pair_name</span> <span class="err">=</span> <span class="s2">"my-terraform-key"</span> <span class="nx">ssh_key_path</span> <span class="err">=</span> <span class="s2">"~/.ssh/my-terraform-key.pem"</span> <span class="nx">ssh_cidr</span> <span class="err">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="c1"># Can be less restrictive than prod</span> <span class="nx">server_user</span> <span class="err">=</span> <span class="s2">"ubuntu"</span> <span class="nx">skip_ansible_provision</span> <span class="err">=</span> <span class="kc">false</span> </code></pre> </div> <p><strong>terraform.prod.tfvars:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">environment</span> <span class="err">=</span> <span class="s2">"prod"</span> <span class="nx">aws_region</span> <span class="err">=</span> <span class="s2">"us-east-1"</span> <span class="nx">instance_type</span> <span class="err">=</span> <span class="s2">"t3.medium"</span> <span class="c1"># More power for production</span> <span class="nx">key_pair_name</span> <span class="err">=</span> <span class="s2">"my-terraform-key"</span> <span class="nx">ssh_key_path</span> <span class="err">=</span> <span class="s2">"~/.ssh/my-terraform-key.pem"</span> <span class="nx">ssh_cidr</span> <span class="err">=</span> <span class="s2">"YOUR_IP/32"</span> <span class="c1"># Restrict SSH to your IP only!</span> <span class="nx">server_user</span> <span class="err">=</span> <span class="s2">"ubuntu"</span> <span class="nx">skip_ansible_provision</span> <span class="err">=</span> <span class="kc">false</span> </code></pre> </div> <p><strong>Why three separate files?</strong> Different environments have different needs:</p> <ul> <li> <strong>Dev</strong>: Smaller instance, less security (for quick testing)</li> <li> <strong>Staging</strong>: Similar to dev, but closer to production setup (for pre-production testing)</li> <li> <strong>Prod</strong>: Larger instance, maximum security (for real users)</li> </ul> <p><strong>File structure:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>infra/terraform/ ├── main.tf ├── variables.tf ├── outputs.tf ├── terraform.dev.tfvars ← Development environment ├── terraform.stg.tfvars ← Staging environment └── terraform.prod.tfvars ← Production environment </code></pre> </div> <h3> Remote State Configuration </h3> <p>Remember the S3 bucket we created? Now we use it. <strong>Important</strong>: Each environment needs its own state file path!</p> <p><strong>For Development:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"bucket=yourname-terraform-state"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"key=terraform-state/dev/terraform.tfstate"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"region=us-east-1"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"dynamodb_table=terraform-state-lock"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"encrypt=true"</span> </code></pre> </div> <p><strong>For Staging:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"bucket=yourname-terraform-state"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"key=terraform-state/stg/terraform.tfstate"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"region=us-east-1"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"dynamodb_table=terraform-state-lock"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"encrypt=true"</span> </code></pre> </div> <p><strong>For Production:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"bucket=yourname-terraform-state"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"key=terraform-state/prod/terraform.tfstate"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"region=us-east-1"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"dynamodb_table=terraform-state-lock"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"encrypt=true"</span> </code></pre> </div> <p><strong>What this does:</strong></p> <ul> <li> <code>bucket</code> - Where to store state (same bucket for all environments)</li> <li> <code>key</code> - File path in bucket (<strong>different per environment!</strong>)</li> <li> <code>dynamodb_table</code> - For locking (prevents conflicts when multiple people run Terraform)</li> <li> <code>encrypt=true</code> - Encrypt state at rest (security)</li> </ul> <p><strong>Why separate keys per environment?</strong> </p> <ul> <li> <code>terraform-state/dev/terraform.tfstate</code> → Development infrastructure</li> <li> <code>terraform-state/stg/terraform.tfstate</code> → Staging infrastructure </li> <li> <code>terraform-state/prod/terraform.tfstate</code> → Production infrastructure</li> </ul> <p>These are <strong>completely separate files</strong>. This means:</p> <ul> <li>✅ Dev, staging, and prod infrastructure are isolated</li> <li>✅ You can destroy dev without affecting staging or prod</li> <li>✅ Each environment has its own state history</li> <li>✅ No risk of accidentally modifying the wrong environment</li> </ul> <h3> Your First Terraform Run </h3> <p>Let's deploy to development first (always start with dev!):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Initialize (downloads providers, sets up backend)</span> terraform init <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"bucket=yourname-terraform-state"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"key=terraform-state/dev/terraform.tfstate"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"region=us-east-1"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"dynamodb_table=terraform-state-lock"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"encrypt=true"</span> <span class="c"># 2. Plan (see what will be created - SAFE, doesn't change anything)</span> terraform plan <span class="nt">-var-file</span><span class="o">=</span>terraform.dev.tfvars <span class="c"># 3. Apply (actually create resources)</span> terraform apply <span class="nt">-var-file</span><span class="o">=</span>terraform.dev.tfvars </code></pre> </div> <p><strong>What happens:</strong></p> <ol> <li> <code>terraform init</code> - Downloads AWS provider, configures backend for dev environment</li> <li> <code>terraform plan</code> - Shows you what will be created/changed/destroyed (dry run)</li> <li> <code>terraform apply</code> - Actually creates the resources</li> </ol> <p><strong>Pro tip</strong>: Always run <code>plan</code> first! It's like a dry run. Review the output carefully before applying.</p> <p><strong>For other environments</strong>, repeat the same steps but:</p> <ul> <li>Use the appropriate <code>-backend-config="key=terraform-state/ENV/terraform.tfstate"</code> </li> <li>Use the matching <code>-var-file=terraform.ENV.tfvars</code> </li> </ul> <p>Example for staging:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"bucket=yourname-terraform-state"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"key=terraform-state/stg/terraform.tfstate"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"region=us-east-1"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"dynamodb_table=terraform-state-lock"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"encrypt=true"</span> terraform plan <span class="nt">-var-file</span><span class="o">=</span>terraform.stg.tfvars terraform apply <span class="nt">-var-file</span><span class="o">=</span>terraform.stg.tfvars </code></pre> </div> <h3> Understanding Drift Detection (Critical for Safety!) </h3> <p><strong>What is drift?</strong> Imagine you have a blueprint for a house (Terraform code), but someone goes and changes the actual house (AWS infrastructure) without updating the blueprint. That's drift - your code and reality don't match anymore.</p> <p><strong>Real-world example:</strong></p> <ol> <li>You deploy infrastructure with Terraform ✅</li> <li>Later, you manually add a tag to your EC2 instance in AWS Console 🏷️</li> <li>Terraform doesn't know about this change</li> <li>Next time you run Terraform, it sees the difference → <strong>DRIFT DETECTED!</strong> </li> </ol> <p><strong>Why drift is dangerous:</strong></p> <ul> <li>🔴 <strong>Security risk</strong>: Someone might have changed something maliciously</li> <li>🔴 <strong>Data loss</strong>: Terraform might try to "fix" things and delete your changes</li> <li>🔴 <strong>Confusion</strong>: You don't know what changed or why</li> <li>🔴 <strong>Breaking changes</strong>: Manual changes might break your application</li> </ul> <p><strong>How drift detection works:</strong></p> <p>Think of it like a security guard checking your house:</p> <ol> <li> <strong>Terraform Plan</strong> = Security guard walks around and notes what's different</li> <li> <strong>Check Git History</strong> = Did you change the blueprint (Terraform files)? <ul> <li>✅ <strong>If yes</strong> → Expected changes (you updated the code)</li> <li>❌ <strong>If no</strong> → DRIFT! (Someone changed infrastructure without updating code)</li> </ul> </li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faejrh796svhskcjbbfqj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faejrh796svhskcjbbfqj.png" alt="Drift Log" width="800" height="365"></a></p> <ol> <li> <strong>Alert</strong> = Security guard calls you immediately</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff1w02ff3scp93x0b2t30.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff1w02ff3scp93x0b2t30.png" alt="Email Alert" width="800" height="411"></a></p> <ol> <li> <strong>Approval</strong> = You review and decide what to do</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyh18go7igm1vn8swqzk9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyh18go7igm1vn8swqzk9.png" alt="Github Issue" width="800" height="365"></a></p> <ol> <li> <strong>Action</strong> = Apply changes or investigate further</li> </ol> <p><strong>The detection logic:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Step 1: Run terraform plan to see what's different</span> terraform plan <span class="nt">-out</span><span class="o">=</span>tfplan <span class="c"># Step 2: Check if Terraform files changed in this commit</span> git diff HEAD~1 HEAD <span class="nt">--name-only</span> | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"</span><span class="se">\.</span><span class="s2">tf</span><span class="nv">$|</span><span class="se">\.</span><span class="s2">tfvars$"</span> <span class="c"># Step 3: Determine the type of change</span> <span class="k">if</span> <span class="o">[</span> no terraform files changed <span class="o">]</span> <span class="o">&amp;&amp;</span> <span class="o">[</span> plan shows changes <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"🚨 DRIFT DETECTED!"</span> <span class="c"># Send email, create GitHub issue, wait for approval</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"✅ Expected changes (code was updated)"</span> <span class="c"># Proceed automatically</span> <span class="k">fi</span> </code></pre> </div> <h3> Setting Up Email Notifications for Drift </h3> <p>When drift is detected, you need to know immediately! That's where email notifications come in.</p> <h4> Step 1: Verify Your Email in AWS SES </h4> <p>AWS SES (Simple Email Service) is like a post office for your applications. First, you need to verify your email address:</p> <ol> <li> <strong>Go to AWS Console</strong> → SES (Simple Email Service)</li> <li> <strong>Click "Verified identities"</strong> → "Create identity"</li> <li><strong>Choose "Email address"</strong></li> <li> <strong>Enter your email</strong> (e.g., <code>your-email@gmail.com</code>)</li> <li><strong>Click "Create identity"</strong></li> <li> <strong>Check your email</strong> and click the verification link</li> </ol> <p><strong>Why verify?</strong> AWS prevents spam by requiring you to verify you own the email address.</p> <h4> Step 2: Create the Email Notification Script </h4> <p>Create <code>infra/ci-cd/scripts/email-notification.sh</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># Email Notification Script for Terraform Drift</span> <span class="c"># Sends email alert when infrastructure drift is detected</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nv">DRIFT_SUMMARY</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">1</span><span class="k">:-}</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$DRIFT_SUMMARY</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Error: Drift summary not provided"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># Email configuration from environment variables</span> <span class="nv">EMAIL_TO</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">EMAIL_TO</span><span class="k">:-}</span><span class="s2">"</span> <span class="nv">EMAIL_FROM</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">EMAIL_FROM</span><span class="k">:-}</span><span class="s2">"</span> <span class="nv">AWS_REGION</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">AWS_REGION</span><span class="k">:-</span><span class="nv">us</span><span class="p">-east-1</span><span class="k">}</span><span class="s2">"</span> <span class="c"># GitHub Actions variables for workflow link</span> <span class="nv">GITHUB_SERVER_URL</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">GITHUB_SERVER_URL</span><span class="k">:-</span><span class="nv">https</span>://github.com<span class="k">}</span><span class="s2">"</span> <span class="nv">GITHUB_REPOSITORY</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">GITHUB_REPOSITORY</span><span class="k">:-}</span><span class="s2">"</span> <span class="nv">GITHUB_RUN_ID</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">GITHUB_RUN_ID</span><span class="k">:-}</span><span class="s2">"</span> <span class="c"># Check if email is configured</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$EMAIL_TO</span><span class="s2">"</span> <span class="o">]</span> <span class="o">||</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$EMAIL_FROM</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"⚠️ Email not configured. Skipping email notification."</span> <span class="nb">exit </span>0 <span class="k">fi</span> <span class="c"># Build workflow run URL if GitHub variables are available</span> <span class="nv">WORKFLOW_URL</span><span class="o">=</span><span class="s2">""</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$GITHUB_REPOSITORY</span><span class="s2">"</span> <span class="o">]</span> <span class="o">&amp;&amp;</span> <span class="o">[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$GITHUB_RUN_ID</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nv">WORKFLOW_URL</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">GITHUB_SERVER_URL</span><span class="k">}</span><span class="s2">/</span><span class="k">${</span><span class="nv">GITHUB_REPOSITORY</span><span class="k">}</span><span class="s2">/actions/runs/</span><span class="k">${</span><span class="nv">GITHUB_RUN_ID</span><span class="k">}</span><span class="s2">"</span> <span class="k">fi</span> <span class="c"># Create email body</span> <span class="nv">SUBJECT</span><span class="o">=</span><span class="s2">"🚨 Terraform Drift Detected - Action Required"</span> <span class="nv">BODY</span><span class="o">=</span><span class="si">$(</span><span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> Terraform infrastructure drift has been detected. This means infrastructure was changed OUTSIDE of Terraform (e.g., manually in AWS Console). Please review the changes and approve the deployment in GitHub Actions. </span><span class="si">$(</span><span class="k">if</span> <span class="o">[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$WORKFLOW_URL</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"🔗 View Workflow Run: </span><span class="nv">$WORKFLOW_URL</span><span class="s2">"</span><span class="p">;</span> <span class="nb">echo</span> <span class="s2">""</span><span class="p">;</span> <span class="k">fi</span><span class="si">)</span><span class="sh"> Drift Summary: </span><span class="nv">$DRIFT_SUMMARY</span><span class="sh"> --- This is an automated message from GitHub Actions. </span><span class="no">EOF </span><span class="si">)</span> <span class="c"># Send email via AWS SES</span> <span class="nb">echo</span> <span class="s2">"📧 Sending drift alert email via AWS SES..."</span> aws ses send-email <span class="se">\</span> <span class="nt">--region</span> <span class="s2">"</span><span class="nv">$AWS_REGION</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--from</span> <span class="s2">"</span><span class="nv">$EMAIL_FROM</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--to</span> <span class="s2">"</span><span class="nv">$EMAIL_TO</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--subject</span> <span class="s2">"</span><span class="nv">$SUBJECT</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--text</span> <span class="s2">"</span><span class="nv">$BODY</span><span class="s2">"</span> <span class="se">\</span> <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"⚠️ Failed to send email. Check AWS credentials and SES configuration."</span> <span class="nb">echo</span> <span class="s2">"✅ Email notification sent!"</span> </code></pre> </div> <p><strong>Make it executable:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x infra/ci-cd/scripts/email-notification.sh </code></pre> </div> <p><strong>What this script does:</strong></p> <ol> <li>Takes the drift summary as input</li> <li>Checks if email is configured</li> <li>Builds a nice email message with the drift details</li> <li>Sends it via AWS SES</li> <li>Includes a link to the GitHub workflow run</li> </ol> <h4> Step 3: Add GitHub Secrets </h4> <p>In your GitHub repository, go to <strong>Settings</strong> → <strong>Secrets and variables</strong> → <strong>Actions</strong>, and add:</p> <ul> <li> <code>EMAIL_TO</code> - Your email address (where to send alerts)</li> <li> <code>EMAIL_FROM</code> - Your verified SES email (must match the one you verified in AWS)</li> <li> <code>AWS_ACCESS_KEY_ID</code> - Your AWS access key</li> <li> <code>AWS_SECRET_ACCESS_KEY</code> - Your AWS secret key</li> <li> <code>AWS_REGION</code> - Your AWS region (e.g., <code>us-east-1</code>)</li> </ul> <p><strong>Security tip</strong>: Never commit these values to your repository! Always use GitHub Secrets.</p> <h3> Understanding GitHub Issue Approval </h3> <p>When drift is detected, the workflow creates a GitHub issue and waits for your approval. This is like a safety checkpoint.</p> <p><strong>How it works:</strong></p> <ol> <li> <strong>Drift detected</strong> → Workflow pauses</li> <li> <strong>GitHub issue created</strong> → Contains: <ul> <li>What changed</li> <li>Why it's drift (no code changes)</li> <li>Link to workflow run</li> <li>Plan summary</li> </ul> </li> <li> <strong>You review</strong> → Check the issue</li> <li> <strong>You approve</strong> → Comment "approve" or click approve button</li> <li> <strong>Workflow continues</strong> → Terraform applies the changes</li> </ol> <p><strong>Example GitHub Issue:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>🚨 REAL DRIFT DETECTED - Infrastructure Changed Outside Terraform (dev) ⚠️ CRITICAL: Real Infrastructure Drift Detected Infrastructure has been modified outside of Terraform. This is unexpected. Environment: dev What happened: - Terraform code files were NOT modified - But infrastructure plan shows changes - This indicates manual changes or changes from another process Action Required: 1. Review the plan below 2. Investigate what caused the drift 3. Approve if changes are intentional, or revert if unauthorized Plan Summary: </code></pre> </div> <h2> aws_instance.todo_app will be updated in-place </h2> <p>~ resource "aws_instance" "todo_app" {<br> ~ tags = {<br> - "ManualTag" = "test" -&gt; null<br> }<br> }<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Workflow Run: 🔗 View Workflow Run: https://github.com/yourusername/repo/actions/runs/123456 Next Steps: - Approve to apply these changes - Or investigate and revert unauthorized changes </code></pre> </div> <p><strong>How to approve:</strong></p> <ol> <li> <strong>Go to the GitHub issue</strong> (you'll get a notification)</li> <li> <strong>Review the changes</strong> carefully</li> <li> <strong>If changes are OK</strong>: Comment "approve" or click the approve button</li> <li> <strong>If changes are suspicious</strong>: Investigate first, then approve or revert</li> </ol> <p><strong>Why this matters:</strong></p> <ul> <li>✅ Prevents accidental changes</li> <li>✅ Gives you time to investigate</li> <li>✅ Creates an audit trail (who approved what, when)</li> <li>✅ Protects production from unauthorized changes</li> </ul> <h3> Testing Drift Detection </h3> <p>Want to test if drift detection works? Here's how:</p> <p><strong>Step 1: Deploy infrastructure normally</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply <span class="nt">-var-file</span><span class="o">=</span>terraform.dev.tfvars </code></pre> </div> <p><strong>Step 2: Manually change something in AWS Console</strong></p> <ol> <li>Go to AWS Console → EC2 → Instances</li> <li>Find your instance</li> <li>Click "Tags" → "Manage tags"</li> <li>Add a new tag: <code>TestTag = "drift-test"</code> </li> <li>Save</li> </ol> <p>Added port 8080 via AWS console<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbpu7x6q04nj8fsn4w4zi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbpu7x6q04nj8fsn4w4zi.png" alt="ADD Port-8080" width="800" height="365"></a></p> <p><strong>Step 3: Trigger the workflow</strong></p> <ol> <li>Go to GitHub Actions</li> <li>Run the "Infrastructure Deployment" workflow</li> <li>Select "dev" environment</li> <li>Watch it detect drift!</li> </ol> <p><strong>Step 4: Check your email</strong></p> <ul> <li>You should receive an email alert</li> <li>Check spam folder if you don't see it</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbuw0zgamal61m8ddtsnp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbuw0zgamal61m8ddtsnp.png" alt="Email Alert" width="800" height="411"></a></p> <p><strong>Step 5: Approve in GitHub</strong></p> <ul> <li>A GitHub issue should be created</li> <li>Review and approve</li> <li>Watch Terraform apply the changes</li> </ul> <p>Approved github issue<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faihhioyuk4wgw5e4y82u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faihhioyuk4wgw5e4y82u.png" alt="Github Issue" width="800" height="365"></a></p> <h3> Destroying Infrastructure (When You Need to Start Over) </h3> <p>Sometimes you need to tear everything down and start fresh. Here's how to do it safely.</p> <p><strong>⚠️ WARNING</strong>: Destroying infrastructure will <strong>DELETE EVERYTHING</strong>:</p> <ul> <li>Your EC2 instance</li> <li>All data on the server</li> <li>Security groups</li> <li>Everything created by Terraform</li> </ul> <p><strong>Make sure you:</strong></p> <ul> <li>✅ Have backups if you need data</li> <li>✅ Are destroying the right environment (dev, not prod!)</li> <li>✅ Really want to delete everything</li> </ul> <h4> Method 1: Destroy via Command Line </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Step 1: Initialize Terraform (if not already done)</span> <span class="nb">cd </span>infra/terraform terraform init <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"bucket=yourname-terraform-state"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"key=terraform-state/dev/terraform.tfstate"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"region=us-east-1"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"dynamodb_table=terraform-state-lock"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"encrypt=true"</span> <span class="c"># Step 2: Plan the destruction (see what will be deleted)</span> terraform plan <span class="nt">-destroy</span> <span class="nt">-var-file</span><span class="o">=</span>terraform.dev.tfvars <span class="c"># Step 3: Review the plan carefully!</span> <span class="c"># Make sure it's only deleting what you want</span> <span class="c"># Step 4: Destroy everything</span> terraform destroy <span class="nt">-var-file</span><span class="o">=</span>terraform.dev.tfvars </code></pre> </div> <p><strong>What happens:</strong></p> <ol> <li>Terraform reads the state file</li> <li>Plans what needs to be destroyed</li> <li>Shows you the plan (review it!)</li> <li>Asks for confirmation (type <code>yes</code>)</li> <li>Deletes everything in reverse order</li> </ol> <h4> Method 2: Destroy via GitHub Actions </h4> <p>If you have a destroy workflow set up:</p> <ol> <li><strong>Go to GitHub Actions</strong></li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxyzoersxwui4yukdzmj5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxyzoersxwui4yukdzmj5.png" alt="Terraform Destroy" width="800" height="411"></a></p> <ol> <li> <strong>Find "Destroy Infrastructure" workflow</strong> (if you have one)</li> <li><strong>Click "Run workflow"</strong></li> <li> <strong>Select environment</strong> (be careful - don't destroy prod!)</li> <li> <strong>Confirm</strong> and run <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpvo052va4kgi2csf06xm.png" alt="Destroy Action" width="800" height="390"> </li> </ol> <p><strong>Example destroy workflow:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Destroy Infrastructure</span> <span class="na">on</span><span class="pi">:</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Environment</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">destroy'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">type</span><span class="pi">:</span> <span class="s">choice</span> <span class="na">options</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">dev</span><span class="pi">,</span> <span class="nv">stg</span><span class="pi">,</span> <span class="nv">prod</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">destroy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_REGION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Init</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">infra/terraform</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">terraform init \</span> <span class="s">-backend-config="bucket=${{ secrets.TERRAFORM_STATE_BUCKET }}" \</span> <span class="s">-backend-config="key=terraform-state/${{ github.event.inputs.environment }}/terraform.tfstate" \</span> <span class="s">-backend-config="region=${{ secrets.AWS_REGION }}" \</span> <span class="s">-backend-config="dynamodb_table=${{ secrets.TERRAFORM_STATE_LOCK_TABLE }}" \</span> <span class="s">-backend-config="encrypt=true"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Plan Destroy</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">infra/terraform</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">terraform plan -destroy \</span> <span class="s">-var-file=terraform.${{ github.event.inputs.environment }}.tfvars \</span> <span class="s">-var="key_pair_name=${{ secrets.TERRAFORM_KEY_PAIR_NAME }}" \</span> <span class="s">-out=tfplan</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Manual Approval</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">trstringer/manual-approval@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">secret</span><span class="pi">:</span> <span class="s">${{ github.TOKEN }}</span> <span class="na">approvers</span><span class="pi">:</span> <span class="s">${{ github.actor }}</span> <span class="na">minimum-approvals</span><span class="pi">:</span> <span class="m">1</span> <span class="na">issue-title</span><span class="pi">:</span> <span class="s2">"</span><span class="s">⚠️</span><span class="nv"> </span><span class="s">DESTROY</span><span class="nv"> </span><span class="s">Infrastructure</span><span class="nv"> </span><span class="s">-</span><span class="nv"> </span><span class="s">${{</span><span class="nv"> </span><span class="s">github.event.inputs.environment</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">issue-body</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">**⚠️ WARNING: Infrastructure Destruction Requested**</span> <span class="s">This will **DELETE ALL INFRASTRUCTURE** for environment: **${{ github.event.inputs.environment }}**</span> <span class="s">**This action cannot be undone!**</span> <span class="s">Review the plan and approve only if you're sure.</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Destroy</span> <span class="na">if</span><span class="pi">:</span> <span class="s">steps.manual-approval.outcome == 'success'</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">infra/terraform</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform apply -auto-approve tfplan</span> </code></pre> </div> <p><strong>Safety features:</strong></p> <ul> <li>✅ Manual approval required (can't destroy by accident)</li> <li>✅ Shows what will be destroyed</li> <li>✅ Creates GitHub issue for review</li> <li>✅ Environment selection (prevents destroying wrong env)</li> </ul> <h4> Method 3: Destroy Specific Resources </h4> <p>Don't want to destroy everything? You can target specific resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Destroy only the EC2 instance (keep security group)</span> terraform destroy <span class="nt">-target</span><span class="o">=</span>aws_instance.todo_app <span class="nt">-var-file</span><span class="o">=</span>terraform.dev.tfvars <span class="c"># Destroy only the security group</span> terraform destroy <span class="nt">-target</span><span class="o">=</span>aws_security_group.todo_app <span class="nt">-var-file</span><span class="o">=</span>terraform.dev.tfvars </code></pre> </div> <p><strong>When to use this:</strong></p> <ul> <li>You want to recreate just one resource</li> <li>Something is broken and you want to rebuild it</li> <li>You're testing changes</li> </ul> <h4> After Destruction </h4> <p>After destroying, your state file still exists in S3, but it's empty (or has no resources). You can:</p> <ol> <li> <strong>Start fresh</strong>: Run <code>terraform apply</code> again to recreate everything</li> <li> <strong>Clean up state</strong>: Delete the state file from S3 (optional)</li> <li> <strong>Keep state</strong>: Leave it (Terraform will just create new resources)</li> </ol> <p><strong>Best practice</strong>: Keep the state file. It's useful for history and doesn't cost much.</p> <h3> Summary: The Complete Terraform Workflow </h3> <p>Here's the full picture of how everything works together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────┐ │ 1. You make changes to Terraform code │ │ (or someone changes infrastructure manually) │ └─────────────────┬───────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────┐ │ 2. GitHub Actions workflow runs │ │ - Checks out code │ │ - Runs terraform plan │ └─────────────────┬───────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────┐ │ 3. Drift Detection │ │ - Did Terraform files change? │ │ - Does plan show changes? │ │ - If no code changes + plan changes = DRIFT! │ └─────────────────┬───────────────────────────────────────┘ │ ┌─────────┴─────────┐ │ │ ▼ ▼ ┌──────────────┐ ┌──────────────────┐ │ DRIFT │ │ EXPECTED CHANGES │ │ DETECTED │ │ (Code updated) │ └──────┬───────┘ └────────┬───────────┘ │ │ ▼ ▼ ┌──────────────────┐ ┌──────────────────┐ │ Send Email │ │ Apply directly │ │ Create Issue │ │ (No approval) │ │ Wait for Approval│ └──────────────────┘ └────────┬─────────┘ │ ▼ ┌──────────────────┐ │ You Review │ │ &amp; Approve │ └────────┬─────────┘ │ ▼ ┌──────────────────┐ │ Apply Changes │ │ (terraform apply) │ └──────────────────┘ </code></pre> </div> <p><strong>Key takeaways:</strong></p> <ul> <li>✅ Always run <code>terraform plan</code> first (see what will happen)</li> <li>✅ Drift detection protects you from unexpected changes</li> <li>✅ Email notifications keep you informed</li> <li>✅ Manual approval prevents accidents</li> <li>✅ Destroy carefully - it's permanent!</li> </ul> <h2> Part 5: Server Configuration with Ansible </h2> <p>Terraform created your server, but it's just a blank Ubuntu machine. Now we need to:</p> <ol> <li>Install Docker</li> <li>Clone your code</li> <li>Start the application</li> </ol> <p>That's where Ansible comes in.</p> <h3> Understanding Ansible </h3> <p>Ansible is like having a robot assistant that can:</p> <ul> <li>SSH into your servers</li> <li>Run commands</li> <li>Install software</li> <li>Copy files</li> <li>Start services</li> </ul> <p><strong>Why Ansible over SSH scripts?</strong></p> <ul> <li> <strong>Idempotent</strong>: Run it multiple times safely (won't break if run twice)</li> <li> <strong>Declarative</strong>: You say "what" you want, not "how" to do it</li> <li> <strong>Organized</strong>: Roles and playbooks keep things organized</li> <li> <strong>Reusable</strong>: Write once, use for dev/stg/prod</li> </ul> <h3> Ansible Playbook Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure TODO Application Server</span> <span class="na">hosts</span><span class="pi">:</span> <span class="s">all</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="c1"># Use sudo</span> <span class="na">gather_facts</span><span class="pi">:</span> <span class="s">yes</span> <span class="c1"># Collect info about the server</span> <span class="na">vars</span><span class="pi">:</span> <span class="na">app_user</span><span class="pi">:</span> <span class="s">ubuntu</span> <span class="na">app_dir</span><span class="pi">:</span> <span class="s">/opt/todo-app</span> <span class="na">roles</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">dependencies</span> <span class="c1"># Install Docker, etc.</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">deploy</span> <span class="c1"># Deploy the application</span> </code></pre> </div> <p><strong>Breaking it down:</strong></p> <ul> <li> <code>hosts: all</code> - Run on all servers in inventory</li> <li> <code>become: yes</code> - Use sudo (needed for installing packages)</li> <li> <code>gather_facts</code> - Ansible learns about the server (OS, IP, etc.)</li> <li> <code>roles</code> - Reusable collections of tasks</li> </ul> <h3> Creating the Dependencies Role </h3> <p>This role installs everything the server needs:</p> <p><strong>roles/dependencies/tasks/main.yml:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Update apt cache</span> <span class="na">apt</span><span class="pi">:</span> <span class="na">update_cache</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">cache_valid_time</span><span class="pi">:</span> <span class="m">3600</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install required packages</span> <span class="na">apt</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">git</span> <span class="pi">-</span> <span class="s">curl</span> <span class="pi">-</span> <span class="s">python3</span> <span class="pi">-</span> <span class="s">python3-pip</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Check if Docker is already installed</span> <span class="na">command</span><span class="pi">:</span> <span class="s">docker --version</span> <span class="na">register</span><span class="pi">:</span> <span class="s">docker_check</span> <span class="na">changed_when</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">failed_when</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">ignore_errors</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Docker (only if not installed)</span> <span class="na">apt</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker-ce</span> <span class="pi">-</span> <span class="s">docker-ce-cli</span> <span class="pi">-</span> <span class="s">containerd.io</span> <span class="pi">-</span> <span class="s">docker-compose-plugin</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="na">when</span><span class="pi">:</span> <span class="s">docker_check.rc != </span><span class="m">0</span> <span class="c1"># Only if Docker not found</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Add user to docker group</span> <span class="na">user</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">app_user</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">groups</span><span class="pi">:</span> <span class="s">docker</span> <span class="na">append</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Start and enable Docker</span> <span class="na">systemd</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">docker</span> <span class="na">state</span><span class="pi">:</span> <span class="s">started</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">yes</span> </code></pre> </div> <p><strong>Key concepts:</strong></p> <ul> <li> <code>register</code> - Save command output to a variable</li> <li> <code>when</code> - Conditional execution (only if condition is true)</li> <li> <code>changed_when: false</code> - This task never "changes" anything (just checks)</li> <li> <code>state: present</code> - Ensure package is installed (idempotent!)</li> </ul> <h3> Creating the Deploy Role </h3> <p>This role actually deploys your application:</p> <p><strong>roles/deploy/tasks/main.yml:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create application directory</span> <span class="na">file</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">app_dir</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">state</span><span class="pi">:</span> <span class="s">directory</span> <span class="na">owner</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">app_user</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">group</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">app_user</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">mode</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0755'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Clone repository</span> <span class="na">git</span><span class="pi">:</span> <span class="na">repo</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">repo_url</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">dest</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">app_dir</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">repo_branch</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">default('main')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">update</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">register</span><span class="pi">:</span> <span class="s">git_pull_result</span> <span class="na">changed_when</span><span class="pi">:</span> <span class="s">git_pull_result.changed</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create .env file</span> <span class="na">copy</span><span class="pi">:</span> <span class="na">content</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">DOMAIN="{{ domain }}"</span> <span class="s">LETSENCRYPT_EMAIL="{{ letsencrypt_email }}"</span> <span class="s">JWT_SECRET="{{ jwt_secret }}"</span> <span class="s"># ... other variables</span> <span class="na">dest</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">app_dir</span><span class="nv"> </span><span class="s">}}/.env"</span> <span class="na">owner</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">app_user</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">mode</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0600'</span> <span class="na">register</span><span class="pi">:</span> <span class="s">env_file_result</span> <span class="na">changed_when</span><span class="pi">:</span> <span class="s">env_file_result.changed</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Determine if rebuild is needed</span> <span class="na">set_fact</span><span class="pi">:</span> <span class="na">needs_rebuild</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">git_pull_result.changed</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">default(false)</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">env_file_result.changed</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">default(false)</span><span class="nv"> </span><span class="s">}}"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build images if code/config changed</span> <span class="na">shell</span><span class="pi">:</span> <span class="s">docker compose build</span> <span class="na">args</span><span class="pi">:</span> <span class="na">chdir</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">app_dir</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">when</span><span class="pi">:</span> <span class="s">needs_rebuild | default(false)</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Start/update containers</span> <span class="na">shell</span><span class="pi">:</span> <span class="s">docker compose up -d</span> <span class="na">args</span><span class="pi">:</span> <span class="na">chdir</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">app_dir</span><span class="nv"> </span><span class="s">}}"</span> </code></pre> </div> <p><strong>Making it idempotent:</strong></p> <ul> <li>Only rebuilds if code or config changed</li> <li> <code>docker compose up -d</code> is idempotent (won't restart if nothing changed)</li> <li>Safe to run multiple times</li> </ul> <h3> Environment-Specific Variables </h3> <p>Just like Terraform, Ansible needs separate configuration files for each environment. Create three files:</p> <p><strong>group_vars/dev/vars.yml:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">domain</span><span class="pi">:</span> <span class="s2">"</span><span class="s">dev.yourdomain.com"</span> <span class="na">letsencrypt_email</span><span class="pi">:</span> <span class="s2">"</span><span class="s">dev-email@example.com"</span> <span class="na">jwt_secret</span><span class="pi">:</span> <span class="s2">"</span><span class="s">dev-secret-key"</span> <span class="na">repo_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://github.com/yourusername/path-to-codebase.git"</span> <span class="na">repo_branch</span><span class="pi">:</span> <span class="s2">"</span><span class="s">dev"</span> <span class="c1"># Use dev branch for development</span> </code></pre> </div> <p><strong>group_vars/stg/vars.yml:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">domain</span><span class="pi">:</span> <span class="s2">"</span><span class="s">stg.yourdomain.com"</span> <span class="na">letsencrypt_email</span><span class="pi">:</span> <span class="s2">"</span><span class="s">staging-email@example.com"</span> <span class="na">jwt_secret</span><span class="pi">:</span> <span class="s2">"</span><span class="s">staging-secret-key"</span> <span class="c1"># Different from dev!</span> <span class="na">repo_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://github.com/yourusername/path-to-codebase.git"</span> <span class="na">repo_branch</span><span class="pi">:</span> <span class="s2">"</span><span class="s">staging"</span> <span class="c1"># Use staging branch for staging</span> </code></pre> </div> <p><strong>group_vars/prod/vars.yml:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">domain</span><span class="pi">:</span> <span class="s2">"</span><span class="s">yourdomain.com"</span> <span class="na">letsencrypt_email</span><span class="pi">:</span> <span class="s2">"</span><span class="s">prod-email@example.com"</span> <span class="na">jwt_secret</span><span class="pi">:</span> <span class="s2">"</span><span class="s">super-secure-production-secret"</span> <span class="c1"># Different per environment!</span> <span class="na">repo_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://github.com/yourusername/path-to-codebase.git"</span> <span class="na">repo_branch</span><span class="pi">:</span> <span class="s2">"</span><span class="s">main"</span> <span class="c1"># Use main branch for production</span> </code></pre> </div> <p><strong>Why three separate files?</strong> Each environment needs:</p> <ul> <li> <strong>Different domains</strong>: <code>dev.yourdomain.com</code>, <code>stg.yourdomain.com</code>, <code>yourdomain.com</code> </li> <li> <strong>Different secrets</strong>: If dev gets compromised, staging and prod are still safe</li> <li> <strong>Different branches</strong>: <ul> <li> <code>dev</code> branch → development environment (experimental features)</li> <li> <code>staging</code> branch → staging environment (testing before production)</li> <li> <code>main</code> branch → production environment (stable, tested code)</li> </ul> </li> </ul> <p><strong>File structure:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>infra/ansible/ ├── playbook.yml ├── inventory/ │ ├── dev.yml │ ├── stg.yml │ └── prod.yml └── group_vars/ ├── dev/ │ └── vars.yml ← Development variables ├── stg/ │ └── vars.yml ← Staging variables └── prod/ └── vars.yml ← Production variables </code></pre> </div> <p><strong>Branch strategy explained:</strong></p> <ul> <li> <strong>Development</strong> (<code>dev</code> branch): Where you experiment and develop new features</li> <li> <strong>Staging</strong> (<code>staging</code> branch): Where you test features before they go to production</li> <li> <strong>Production</strong> (<code>main</code> branch): The stable code that real users interact with</li> </ul> <p>This way, you can test changes in dev/staging without affecting production!</p> <h3> Generating Inventory </h3> <p>Terraform automatically generates the Ansible inventory:</p> <p><strong>templates/inventory.tpl:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>all: hosts: todo-app-server: ansible_host: ${server_ip} ansible_user: ${server_user} ansible_ssh_private_key_file: ${ssh_key_path} ansible_ssh_common_args: '-o StrictHostKeyChecking=no' </code></pre> </div> <p>This gets generated as <code>ansible/inventory/dev.yml</code> (or stg.yml, prod.yml) with the actual server IP.</p> <h3> Running Ansible </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># From the ansible directory</span> <span class="nb">cd </span>infra/ansible <span class="c"># Run the playbook</span> ansible-playbook <span class="nt">-i</span> inventory/dev.yml playbook.yml <span class="c"># With verbose output (for debugging)</span> ansible-playbook <span class="nt">-i</span> inventory/dev.yml playbook.yml <span class="nt">-vvv</span> </code></pre> </div> <p><strong>What happens:</strong></p> <ol> <li>Ansible connects to your server via SSH</li> <li>Runs the dependencies role (installs Docker)</li> <li>Runs the deploy role (clones code, starts containers)</li> <li>Your application is live!</li> </ol> <h2> Part 6: CI/CD with GitHub Actions </h2> <p>Now we automate everything. Instead of running commands manually, GitHub Actions does it for us.</p> <h3> Understanding CI/CD </h3> <p><strong>CI (Continuous Integration)</strong>: Automatically test and build when code changes<br> <strong>CD (Continuous Deployment)</strong>: Automatically deploy when tests pass</p> <p><strong>Why CI/CD?</strong></p> <ul> <li> <strong>Consistency</strong>: Same process every time</li> <li> <strong>Speed</strong>: Deploy in minutes, not hours</li> <li> <strong>Safety</strong>: Automated tests catch bugs before production</li> <li> <strong>History</strong>: See what was deployed when</li> </ul> <h3> Setting Up GitHub Secrets </h3> <p>Before workflows can run, they need credentials:</p> <ol> <li>Go to your GitHub repo → Settings → Secrets and variables → Actions</li> <li>Add these secrets: <ul> <li> <code>AWS_ACCESS_KEY_ID</code> - From your IAM user</li> <li> <code>AWS_SECRET_ACCESS_KEY</code> - From your IAM user</li> <li> <code>TERRAFORM_STATE_BUCKET</code> - Your S3 bucket name</li> <li> <code>TERRAFORM_STATE_LOCK_TABLE</code> - Your DynamoDB table name</li> <li> <code>TERRAFORM_KEY_PAIR_NAME</code> - Your EC2 key pair name</li> <li> <code>SSH_PRIVATE_KEY</code> - Contents of your <code>.pem</code> file</li> <li> <code>EMAIL_TO</code> - Where to send drift alerts</li> <li> <code>EMAIL_FROM</code> - Your verified SES email</li> </ul> </li> </ol> <h3> Infrastructure Workflow </h3> <p>This workflow runs when infrastructure code changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Infrastructure Deployment</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">infra/terraform/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">infra/ansible/**'</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Environment</span><span class="nv"> </span><span class="s">(dev,</span><span class="nv"> </span><span class="s">stg,</span><span class="nv"> </span><span class="s">prod)'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">type</span><span class="pi">:</span> <span class="s">choice</span> <span class="na">options</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">dev</span><span class="pi">,</span> <span class="nv">stg</span><span class="pi">,</span> <span class="nv">prod</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">terraform-plan</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Plan &amp; Drift Detection</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Init</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">infra/terraform</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform init -backend-config=...</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Plan</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform plan -out=tfplan</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Check for Drift</span> <span class="na">id</span><span class="pi">:</span> <span class="s">drift-check</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s"># Detect if this is drift (infrastructure changed outside Terraform)</span> <span class="s"># vs expected changes (Terraform code changed)</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Send Drift Email</span> <span class="na">if</span><span class="pi">:</span> <span class="s">steps.drift-check.outputs.change_type == 'drift'</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./infra/ci-cd/scripts/email-notification.sh "$(cat drift_summary.txt)"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Manual Approval</span> <span class="na">if</span><span class="pi">:</span> <span class="s">steps.drift-check.outputs.change_type == 'drift'</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">trstringer/manual-approval@v1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Apply</span> <span class="na">if</span><span class="pi">:</span> <span class="s">steps.manual-approval.outcome == 'success'</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform apply -auto-approve tfplan</span> </code></pre> </div> <h3> Drift Detection in CI/CD (Quick Reference) </h3> <p><strong>Note</strong>: For a detailed explanation of drift detection, email setup, and GitHub approval, see the "Understanding Drift Detection" section earlier in this guide.</p> <p><strong>Quick summary:</strong></p> <ul> <li>Drift = Infrastructure changed outside Terraform</li> <li>Detected automatically in CI/CD</li> <li>Email sent + GitHub issue created</li> <li>Manual approval required before applying</li> </ul> <h3> Application Deployment Workflow </h3> <p>Separate workflow for application code changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Application Deployment</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">frontend/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">auth-api/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">todos-api/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">docker-compose.yml'</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Environment'</span> <span class="na">type</span><span class="pi">:</span> <span class="s">choice</span> <span class="na">options</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">dev</span><span class="pi">,</span> <span class="nv">stg</span><span class="pi">,</span> <span class="nv">prod</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Get Server IP</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s"># Find server by tag</span> <span class="s">INSTANCE_ID=$(aws ec2 describe-instances ...)</span> <span class="s">SERVER_IP=$(aws ec2 describe-instances ...)</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy with Ansible</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">ansible-playbook -i inventory/${ENV}.yml playbook.yml --tags deploy</span> </code></pre> </div> <p><strong>Why separate workflows?</strong> Infrastructure changes are rare and need careful review. Application changes are frequent and should deploy quickly.</p> <h3> Infrastructure Destruction Workflow </h3> <p><strong>⚠️ CRITICAL</strong>: This workflow <strong>DESTROYS EVERYTHING</strong>. Use with extreme caution!</p> <p>The destroy workflow is separate from the deployment workflow for safety. It has multiple confirmation steps to prevent accidental destruction.</p> <h4> How the Destroy Workflow Works </h4> <p><strong>Step 1: Manual Trigger Only</strong></p> <ul> <li>Only runs when you manually trigger it (no automatic triggers)</li> <li>Requires you to select the environment</li> <li>Requires you to type "DESTROY" to confirm</li> </ul> <p><strong>Step 2: Validation</strong></p> <ul> <li>Checks that you typed "DESTROY" correctly (case-sensitive)</li> <li>Prevents typos from accidentally destroying infrastructure</li> </ul> <p><strong>Step 3: State File Handling</strong></p> <ul> <li>Tries to download state from artifacts (most recent)</li> <li>Falls back to S3 remote backend if artifacts missing</li> <li>Imports resources if state is completely missing</li> </ul> <p><strong>Step 4: Destroy Plan</strong></p> <ul> <li>Shows you exactly what will be destroyed</li> <li>Review this carefully before proceeding</li> </ul> <p><strong>Step 5: Destruction</strong></p> <ul> <li>Deletes all resources in the correct order</li> <li>Handles dependencies (e.g., detaches volumes before deleting)</li> </ul> <p><strong>Step 6: Verification</strong></p> <ul> <li>Checks that everything was destroyed</li> <li>Cleans up orphaned resources</li> <li>Provides a summary</li> </ul> <h4> The Complete Destroy Workflow </h4> <p>Here's what the actual workflow looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Infrastructure Destruction</span> <span class="na">on</span><span class="pi">:</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="c1"># Manual trigger only - safe!</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Environment</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">destroy</span><span class="nv"> </span><span class="s">(dev,</span><span class="nv"> </span><span class="s">stg,</span><span class="nv"> </span><span class="s">prod)'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">type</span><span class="pi">:</span> <span class="s">choice</span> <span class="na">options</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">dev</span><span class="pi">,</span> <span class="nv">stg</span><span class="pi">,</span> <span class="nv">prod</span><span class="pi">]</span> <span class="na">default</span><span class="pi">:</span> <span class="s1">'</span><span class="s">dev'</span> <span class="na">confirm_destroy</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Type</span><span class="nv"> </span><span class="s">"DESTROY"</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">confirm</span><span class="nv"> </span><span class="s">(case-sensitive)'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">validate-destroy</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Validate Destruction Request</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Validate confirmation</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">if [ "${{ github.event.inputs.confirm_destroy }}" != "DESTROY" ]; then</span> <span class="s">echo "❌ Invalid confirmation. You must type 'DESTROY' to proceed."</span> <span class="s">exit 1</span> <span class="s">fi</span> <span class="s">echo "✅ Destruction confirmed. Proceeding..."</span> <span class="na">terraform-destroy</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Destroy Infrastructure</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">validate-destroy</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS Credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_REGION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Init (with S3 backend)</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">infra/terraform</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">terraform init \</span> <span class="s">-backend-config="bucket=${{ secrets.TERRAFORM_STATE_BUCKET }}" \</span> <span class="s">-backend-config="key=terraform-state/${{ github.event.inputs.environment }}/terraform.tfstate" \</span> <span class="s">-backend-config="region=${{ secrets.AWS_REGION }}" \</span> <span class="s">-backend-config="dynamodb_table=${{ secrets.TERRAFORM_STATE_LOCK_TABLE }}" \</span> <span class="s">-backend-config="encrypt=true"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Plan Destroy</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">infra/terraform</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">terraform plan -destroy \</span> <span class="s">-var-file=terraform.${{ github.event.inputs.environment }}.tfvars \</span> <span class="s">-var="key_pair_name=${{ secrets.TERRAFORM_KEY_PAIR_NAME }}" \</span> <span class="s">-out=destroy.tfplan</span> <span class="s">echo ""</span> <span class="s">echo "⚠️ DESTRUCTION PLAN SUMMARY:"</span> <span class="s">terraform show -no-color destroy.tfplan | head -100</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Destroy</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">infra/terraform</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo "🔥 Starting infrastructure destruction..."</span> <span class="s">terraform destroy -auto-approve \</span> <span class="s">-var-file=terraform.${{ github.event.inputs.environment }}.tfvars \</span> <span class="s">-var="key_pair_name=${{ secrets.TERRAFORM_KEY_PAIR_NAME }}"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Verify Destruction</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">infra/terraform</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo "🔍 Verifying all resources are destroyed..."</span> <span class="s"># Check for orphaned resources and clean them up</span> </code></pre> </div> <h4> How to Use the Destroy Workflow </h4> <p><strong>Step 1: Go to GitHub Actions</strong></p> <ol> <li>Open your repository on GitHub</li> <li>Click the <strong>"Actions"</strong> tab</li> <li>Find <strong>"Infrastructure Destruction"</strong> in the workflow list</li> </ol> <p><strong>Step 2: Run the Workflow</strong></p> <ol> <li>Click <strong>"Run workflow"</strong> button (top right)</li> <li>Select the <strong>environment</strong> you want to destroy: <ul> <li>⚠️ <strong>Be very careful</strong> - make sure you select the right one!</li> <li>Dev is usually safe to destroy</li> <li>Staging should be destroyed carefully</li> <li><strong>NEVER destroy production unless absolutely necessary!</strong></li> </ul> </li> <li>In the <strong>"Type DESTROY to confirm"</strong> field, type exactly: <code>DESTROY</code> <ul> <li>Must be all caps</li> <li>Must be exactly "DESTROY" (no extra spaces)</li> </ul> </li> <li>Click <strong>"Run workflow"</strong> </li> </ol> <p><strong>Step 3: Watch It Run</strong></p> <ol> <li>The workflow will start with a <strong>validation job</strong> <ul> <li>Checks that you typed "DESTROY" correctly</li> <li>If wrong, workflow fails immediately (safe!)</li> </ul> </li> <li>Then the <strong>terraform-destroy job</strong> runs: <ul> <li>Initializes Terraform with the correct backend</li> <li>Creates a destroy plan (shows what will be deleted)</li> <li><strong>Review the plan carefully!</strong></li> <li>Destroys all resources</li> <li>Verifies everything is gone</li> </ul> </li> </ol> <p><strong>Step 4: Review the Results</strong></p> <ul> <li>Check the workflow logs</li> <li>Verify in AWS Console that resources are gone</li> <li>Check that costs are now $0.00</li> </ul> <h4> Safety Features </h4> <p>The destroy workflow has multiple safety features:</p> <ol> <li> <strong>Manual trigger only</strong> - Can't be triggered automatically</li> <li> <strong>Confirmation required</strong> - Must type "DESTROY" exactly</li> <li> <strong>Environment selection</strong> - Prevents destroying wrong environment</li> <li> <strong>Plan before destroy</strong> - Shows you what will be deleted</li> <li> <strong>Validation job</strong> - Double-checks confirmation before proceeding</li> <li> <strong>State file handling</strong> - Works with remote state (S3)</li> <li> <strong>Verification</strong> - Checks that everything was destroyed</li> </ol> <h4> What Gets Destroyed </h4> <p>When you run the destroy workflow, it deletes:</p> <ul> <li>✅ <strong>EC2 instance</strong> - Your server and everything on it</li> <li>✅ <strong>Security groups</strong> - Firewall rules</li> <li>✅ <strong>EBS volumes</strong> - Any attached storage (if using EBS for state)</li> <li>✅ <strong>All containers</strong> - Docker containers running on the instance</li> <li>✅ <strong>All data</strong> - Everything on the server is permanently lost</li> </ul> <p><strong>What stays:</strong></p> <ul> <li>✅ <strong>S3 bucket</strong> - Your Terraform state bucket (not deleted)</li> <li>✅ <strong>DynamoDB table</strong> - State locking table (not deleted)</li> <li>✅ <strong>GitHub repository</strong> - Your code (not deleted)</li> </ul> <h4> When to Use the Destroy Workflow </h4> <p><strong>Good reasons to destroy:</strong></p> <ul> <li>✅ You're done with the project and want to stop costs</li> <li>✅ You want to start completely fresh</li> <li>✅ You're testing and need to clean up</li> <li>✅ You're moving to a different AWS account</li> </ul> <p><strong>Bad reasons to destroy:</strong></p> <ul> <li>❌ Just to restart services (use Ansible instead)</li> <li>❌ To fix a small issue (fix the issue, don't destroy)</li> <li>❌ Because something isn't working (debug first)</li> <li>❌ In production without a backup plan</li> </ul> <h4> After Destruction </h4> <p><strong>What happens:</strong></p> <ol> <li>All infrastructure is deleted</li> <li>State file in S3 is updated (shows no resources)</li> <li>You stop paying for AWS resources</li> <li>All data is permanently lost</li> </ol> <p><strong>To recreate:</strong></p> <ol> <li>Run the <strong>Infrastructure Deployment</strong> workflow again</li> <li>It will create everything from scratch</li> <li>You'll need to redeploy your application</li> </ol> <p><strong>Important notes:</strong></p> <ul> <li>State file history is preserved in S3</li> <li>You can see what was destroyed in the workflow logs</li> <li>GitHub Actions artifacts are kept for 90 days</li> <li>You can manually delete artifacts if needed</li> </ul> <h4> Destroy Workflow vs Manual Destroy </h4> <p><strong>Use the workflow when:</strong></p> <ul> <li>✅ You want safety features (confirmation, validation)</li> <li>✅ You want to destroy from anywhere (don't need local setup)</li> <li>✅ You want an audit trail (GitHub Actions logs)</li> <li>✅ You're working with a team (everyone can see what happened)</li> </ul> <p><strong>Use manual destroy when:</strong></p> <ul> <li>✅ You need to destroy specific resources only</li> <li>✅ You're debugging and need more control</li> <li>✅ You don't have GitHub Actions set up</li> </ul> <h4> Example: Destroying Development Environment </h4> <p>Let's walk through destroying a dev environment:</p> <ol> <li> <strong>Go to Actions</strong> → <strong>Infrastructure Destruction</strong> </li> <li><strong>Click "Run workflow"</strong></li> <li> <strong>Select environment</strong>: <code>dev</code> </li> <li> <strong>Type confirmation</strong>: <code>DESTROY</code> </li> <li><strong>Click "Run workflow"</strong></li> </ol> <p><strong>What you'll see:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>✅ validate-destroy: Validation passed ✅ terraform-destroy: - Terraform Init: Success - Terraform Plan Destroy: Shows what will be deleted - Terraform Destroy: Deleting resources... - Verify Destruction: All resources destroyed </code></pre> </div> <p><strong>After completion:</strong></p> <ul> <li>Check AWS Console → EC2 → No instances</li> <li>Check AWS Console → Security Groups → No groups</li> <li>Check AWS Billing → Costs should be $0.00</li> </ul> <h4> Troubleshooting Destroy Workflow </h4> <p><strong>Issue: "Invalid confirmation"</strong></p> <ul> <li> <strong>Problem</strong>: You didn't type "DESTROY" exactly</li> <li> <strong>Solution</strong>: Type exactly <code>DESTROY</code> (all caps, no spaces)</li> </ul> <p><strong>Issue: "State file not found"</strong></p> <ul> <li> <strong>Problem</strong>: State file is missing or in wrong location</li> <li> <strong>Solution</strong>: Workflow will try to import resources automatically</li> </ul> <p><strong>Issue: "Resources still exist after destroy"</strong></p> <ul> <li> <strong>Problem</strong>: Some resources might be stuck</li> <li> <strong>Solution</strong>: Check the verification step - it will try to clean up orphaned resources</li> </ul> <p><strong>Issue: "Can't destroy because of dependencies"</strong></p> <ul> <li> <strong>Problem</strong>: Resources have dependencies (e.g., volume attached)</li> <li> <strong>Solution</strong>: Workflow handles this automatically (detaches volumes first)</li> </ul> <h4> Best Practices for Destruction </h4> <ol> <li> <strong>Always destroy dev first</strong> - Test the workflow in dev before using in staging/prod</li> <li> <strong>Review the plan</strong> - Check what will be destroyed before confirming</li> <li> <strong>Backup important data</strong> - If you need any data, back it up first</li> <li> <strong>Destroy during off-hours</strong> - If others are using the environment</li> <li> <strong>Document why</strong> - Add a comment in the workflow run explaining why you destroyed</li> <li> <strong>Verify after</strong> - Check AWS Console to confirm everything is gone</li> <li> <strong>Clean up artifacts</strong> - Delete GitHub Actions artifacts if you want</li> </ol> <h2> Part 7: Single Command Deployment </h2> <p>The ultimate goal: one command that does everything.</p> <h3> How It Works </h3> <p>When you run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply <span class="nt">-var-file</span><span class="o">=</span>terraform.dev.tfvars <span class="nt">-auto-approve</span> </code></pre> </div> <p>Here's what happens behind the scenes:</p> <ol> <li> <p><strong>Terraform provisions infrastructure</strong></p> <ul> <li>Creates security group</li> <li>Launches EC2 instance</li> <li>Waits for instance to be ready</li> </ul> </li> <li> <p><strong>Terraform generates Ansible inventory</strong></p> <ul> <li>Creates <code>ansible/inventory/dev.yml</code> with server IP</li> <li>Ready for Ansible to use</li> </ul> </li> <li> <p><strong>Terraform triggers Ansible</strong> (via null_resource)</p> <ul> <li>Waits for SSH to be available</li> <li>Runs Ansible playbook</li> <li>Installs Docker</li> <li>Clones repository</li> <li>Starts containers</li> </ul> </li> <li> <p><strong>Traefik gets SSL certificate</strong></p> <ul> <li>Contacts Let's Encrypt</li> <li>Verifies domain ownership</li> <li>Gets certificate</li> <li>Enables HTTPS</li> </ul> </li> <li> <p><strong>Application is live!</strong></p> <ul> <li>Frontend accessible at <code>https://yourdomain.com</code> </li> <li>APIs at <code>https://yourdomain.com/api/*</code> </li> </ul> </li> </ol> <h3> The Magic: null_resource </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"null_resource"</span> <span class="s2">"ansible_provision"</span> <span class="p">{</span> <span class="nx">triggers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">instance_id</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">todo_app</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">provisioner</span> <span class="s2">"local-exec"</span> <span class="p">{</span> <span class="nx">command</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOT</span><span class="sh"> # Wait for SSH until ssh ... 'echo "ready"'; do sleep 10; done # Run Ansible cd ../ansible ansible-playbook -i inventory/${var.environment}.yml playbook.yml </span><span class="no"> EOT </span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>What is null_resource?</strong> It's a Terraform resource that doesn't create anything in AWS. It just runs a command. Perfect for triggering Ansible!</p> <p><strong>Why the wait?</strong> EC2 instances take 30-60 seconds to boot. We wait for SSH to be ready before running Ansible.</p> <h3> Testing the Single Command </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Make sure you're in the terraform directory</span> <span class="nb">cd </span>infra/terraform <span class="c"># Initialize (one-time setup)</span> terraform init <span class="nt">-backend-config</span><span class="o">=</span>... <span class="c"># The magic command</span> terraform apply <span class="nt">-var-file</span><span class="o">=</span>terraform.dev.tfvars <span class="nt">-auto-approve</span> <span class="c"># Watch it work!</span> <span class="c"># You'll see:</span> <span class="c"># 1. Security group created</span> <span class="c"># 2. EC2 instance launching</span> <span class="c"># 3. Waiting for SSH...</span> <span class="c"># 4. Running Ansible...</span> <span class="c"># 5. Application deployed!</span> </code></pre> </div> <p><strong>Pro tip</strong>: The first run takes 5-10 minutes. Subsequent runs are faster (only changes what's needed).</p> <h2> Part 8: Multi-Environment Setup </h2> <p>Real applications need multiple environments. Here's how to set it up properly.</p> <h3> Why Multiple Environments? </h3> <ul> <li> <strong>Dev</strong>: Where you experiment (break things safely)</li> <li> <strong>Staging</strong>: Mirror of production (test before going live)</li> <li> <strong>Production</strong>: The real thing (users depend on it)</li> </ul> <h3> Environment Isolation </h3> <p>Each environment is completely separate:</p> <ul> <li>Different EC2 instances</li> <li>Different security groups</li> <li>Different state files in S3</li> <li>Different domains</li> <li>Different secrets</li> </ul> <p><strong>Why isolation matters:</strong> If dev gets hacked, staging and prod are still safe. If you break dev, staging and prod keep running. This is why we have three separate environments!</p> <h3> Setting Up Per-Environment Configuration </h3> <p><strong>Terraform:</strong></p> <ul> <li> <code>terraform.dev.tfvars</code> - Dev configuration</li> <li> <code>terraform.stg.tfvars</code> - Staging configuration </li> <li> <code>terraform.prod.tfvars</code> - Production configuration</li> </ul> <p><strong>Ansible:</strong></p> <ul> <li> <code>group_vars/dev/vars.yml</code> - Dev variables</li> <li> <code>group_vars/stg/vars.yml</code> - Staging variables</li> <li> <code>group_vars/prod/vars.yml</code> - Production variables</li> </ul> <p><strong>State files:</strong></p> <ul> <li><code>terraform-state/dev/terraform.tfstate</code></li> <li><code>terraform-state/stg/terraform.tfstate</code></li> <li><code>terraform-state/prod/terraform.tfstate</code></li> </ul> <h3> Deploying to Different Environments </h3> <p><strong>Via GitHub Actions:</strong></p> <ol> <li>Go to Actions → Infrastructure Deployment</li> <li>Click "Run workflow"</li> <li>Select environment (dev/stg/prod)</li> <li>Click "Run workflow"</li> </ol> <p><strong>Via command line:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Dev</span> terraform apply <span class="nt">-var-file</span><span class="o">=</span>terraform.dev.tfvars <span class="nt">-auto-approve</span> <span class="c"># Staging</span> terraform apply <span class="nt">-var-file</span><span class="o">=</span>terraform.stg.tfvars <span class="nt">-auto-approve</span> <span class="c"># Production</span> terraform apply <span class="nt">-var-file</span><span class="o">=</span>terraform.prod.tfvars <span class="nt">-auto-approve</span> </code></pre> </div> <p><strong>Important</strong>: Always test in dev first! Never deploy to prod without testing.</p> <h2> Part 9: Common Issues and Solutions </h2> <p>Every project has issues. Here are the ones you'll likely encounter and how to fix them.</p> <h3> Issue 1: Let's Encrypt Certificate Errors </h3> <p><strong>Symptom:</strong> <code>Timeout during connect (likely firewall problem)</code></p> <p><strong>Causes:</strong></p> <ol> <li>DNS not pointing to your server</li> <li>Security group blocking ports 80/443</li> <li>Firewall on the server blocking ports</li> </ol> <p><strong>Solutions:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Verify DNS</span> dig yourdomain.com <span class="c"># Should show your server IP</span> <span class="c"># 2. Check security group</span> <span class="c"># AWS Console → EC2 → Security Groups</span> <span class="c"># Verify ports 80 and 443 allow 0.0.0.0/0</span> <span class="c"># 3. Check server firewall</span> <span class="nb">sudo </span>ufw status <span class="nb">sudo </span>ufw allow 80/tcp <span class="nb">sudo </span>ufw allow 443/tcp <span class="c"># 4. Switch to HTTP challenge (more reliable)</span> <span class="c"># In docker-compose.yml:</span> - <span class="s2">"--certificatesresolvers.letsencrypt.acme.httpchallenge=true"</span> - <span class="s2">"--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"</span> </code></pre> </div> <h3> Issue 2: Terraform State Lock </h3> <p><strong>Symptom:</strong> <code>Error acquiring the state lock</code></p> <p><strong>Cause:</strong> Another Terraform run is in progress, or a previous run crashed</p> <p><strong>Solution:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check what's locking</span> aws dynamodb scan <span class="nt">--table-name</span> terraform-state-lock <span class="c"># If you're sure no one else is running Terraform:</span> terraform force-unlock &lt;LOCK_ID&gt; <span class="c"># Be careful! Only do this if you're certain.</span> </code></pre> </div> <h3> Issue 3: Ansible Connection Failed </h3> <p><strong>Symptom:</strong> <code>SSH connection failed</code> or <code>Permission denied</code></p> <p><strong>Causes:</strong></p> <ol> <li>Security group doesn't allow SSH from your IP</li> <li>Wrong key pair</li> <li>Server not ready yet</li> </ol> <p><strong>Solutions:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Test SSH manually</span> ssh <span class="nt">-i</span> ~/.ssh/your-key.pem ubuntu@&lt;server-ip&gt; <span class="c"># 2. Check security group</span> <span class="c"># Make sure it allows port 22 from your IP</span> <span class="c"># 3. Verify key pair name matches</span> <span class="c"># AWS Console → EC2 → Key Pairs</span> <span class="c"># Should match what's in terraform.tfvars</span> <span class="c"># 4. Wait longer (server might still be booting)</span> <span class="c"># EC2 instances take 1-2 minutes to be ready</span> </code></pre> </div> <h3> Issue 4: Drift Detection Not Working </h3> <p><strong>Symptom:</strong> Changes made manually but drift not detected</p> <p><strong>Check:</strong></p> <ol> <li>Did Terraform files change? (That's "expected", not drift)</li> <li>Is state in S3? (Local state won't work properly)</li> <li>Check drift detection logic in workflow</li> </ol> <p><strong>Test drift:</strong></p> <ol> <li>Manually add a tag to your EC2 instance in AWS Console</li> <li>Run the infrastructure workflow</li> <li>Should detect drift and send email</li> </ol> <h3> Issue 5: Containers Keep Restarting </h3> <p><strong>Symptom:</strong> <code>docker ps</code> shows containers restarting constantly</p> <p><strong>Debug:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check logs</span> docker logs &lt;container-name&gt; <span class="c"># Check all containers</span> docker compose logs <span class="c"># Common causes:</span> <span class="c"># - Configuration error in .env</span> <span class="c"># - Port conflict</span> <span class="c"># - Missing environment variables</span> <span class="c"># - Application crash on startup</span> </code></pre> </div> <h2> Part 10: Best Practices and Security </h2> <p>Now that everything works, let's make it production-ready.</p> <h3> Security Best Practices </h3> <ol> <li> <p><strong>Never commit secrets</strong></p> <ul> <li>Use GitHub Secrets</li> <li>Use environment variables</li> <li>Add <code>.env</code> to <code>.gitignore</code> </li> </ul> </li> <li> <p><strong>Restrict SSH access</strong></p> <ul> <li>In production, set <code>ssh_cidr</code> to your IP only</li> <li>Use <code>YOUR_IP/32</code> format (e.g., <code>1.2.3.4/32</code>)</li> </ul> </li> <li> <p><strong>Use different secrets per environment</strong></p> <ul> <li>Dev JWT secret ≠ Staging JWT secret ≠ Prod JWT secret</li> <li>If dev is compromised, staging and prod are still safe</li> </ul> </li> <li> <p><strong>Enable MFA</strong></p> <ul> <li>On AWS account</li> <li>On GitHub account</li> <li>Extra layer of protection</li> </ul> </li> <li> <p><strong>Regular updates</strong></p> <ul> <li>Keep Docker images updated</li> <li>Keep system packages updated</li> <li>Security patches are important!</li> </ul> </li> </ol> <h3> Infrastructure Best Practices </h3> <ol> <li> <p><strong>Always use remote state</strong></p> <ul> <li>S3 + DynamoDB</li> <li>Never commit state files</li> <li>Enable versioning on S3 bucket</li> </ul> </li> <li> <p><strong>Separate state per environment</strong></p> <ul> <li>Different S3 keys</li> <li>Complete isolation</li> <li>Can't accidentally affect prod from dev</li> </ul> </li> <li> <p><strong>Use version constraints</strong></p> <ul> <li>In Terraform: <code>version = "~&gt; 5.0"</code> </li> <li>Prevents unexpected breaking changes</li> </ul> </li> <li> <p><strong>Tag everything</strong></p> <ul> <li>Makes it easy to find resources</li> <li>Helps with cost tracking</li> <li>Required for organization</li> </ul> </li> </ol> <h3> Deployment Best Practices </h3> <ol> <li> <p><strong>Test in dev first</strong></p> <ul> <li>Always deploy to dev → staging → prod (in that order!)</li> <li>Catch issues early before they reach production</li> <li>Dev is for breaking things</li> </ul> </li> <li> <p><strong>Review drift alerts</strong></p> <ul> <li>Don't ignore them!</li> <li>Investigate unexpected changes</li> <li>Could be security issue</li> </ul> </li> <li> <p><strong>Use idempotent deployments</strong></p> <ul> <li>Safe to run multiple times</li> <li>Ansible should be idempotent</li> <li>Terraform is idempotent by design</li> </ul> </li> <li> <p><strong>Monitor your infrastructure</strong></p> <ul> <li>Set up CloudWatch alarms</li> <li>Monitor costs</li> <li>Watch for unusual activity</li> </ul> </li> </ol> <h3> Cost Optimization </h3> <ol> <li> <p><strong>Right-size instances</strong></p> <ul> <li>Dev: t3.small (saves money)</li> <li>Prod: t3.medium (enough power)</li> <li>Don't over-provision</li> </ul> </li> <li> <p><strong>Stop dev when not in use</strong></p> <ul> <li>Dev doesn't need to run 24/7</li> <li>Stop instances when not testing</li> <li>Saves ~70% of costs</li> </ul> </li> <li> <p><strong>Clean up unused resources</strong></p> <ul> <li>Delete old instances</li> <li>Remove unused security groups</li> <li>Regular cleanup prevents waste</li> </ul> </li> </ol> <h2> Part 11: Going Further </h2> <p>You've built a solid foundation. Here's where to go next.</p> <h3> Monitoring and Observability </h3> <p><strong>Add CloudWatch:</strong></p> <ul> <li>Monitor CPU, memory, disk</li> <li>Set up alarms</li> <li>Track costs</li> </ul> <p><strong>Add Application Monitoring:</strong></p> <ul> <li>Prometheus + Grafana</li> <li>ELK stack for logs</li> <li>APM tools (New Relic, Datadog)</li> </ul> <h3> Scaling </h3> <p><strong>Horizontal Scaling:</strong></p> <ul> <li>Add load balancer</li> <li>Multiple instances</li> <li>Auto-scaling groups</li> </ul> <p><strong>Vertical Scaling:</strong></p> <ul> <li>Larger instance types</li> <li>More CPU/RAM</li> <li>Better performance</li> </ul> <h3> Backup and Disaster Recovery </h3> <p><strong>Backup Strategy:</strong></p> <ul> <li>Database backups</li> <li>State file backups (S3 versioning)</li> <li>Configuration backups</li> </ul> <p><strong>Disaster Recovery:</strong></p> <ul> <li>Multi-region deployment</li> <li>Automated failover</li> <li>Recovery procedures</li> </ul> <h3> Advanced Topics </h3> <ul> <li> <strong>Kubernetes</strong>: Container orchestration at scale</li> <li> <strong>Terraform Modules</strong>: Reusable infrastructure code</li> <li> <strong>Ansible Roles</strong>: Shareable configuration</li> <li> <strong>GitOps</strong>: Git as source of truth</li> <li> <strong>Infrastructure Testing</strong>: Test your infrastructure code</li> </ul> <h2> Conclusion: What You've Accomplished </h2> <p>Let's take a moment to appreciate what you've built:</p> <p>✅ <strong>A microservices application</strong> running in containers<br> ✅ <strong>Automated infrastructure</strong> with Terraform<br> ✅ <strong>Automated deployment</strong> with Ansible<br> ✅ <strong>CI/CD pipelines</strong> that detect problems<br> ✅ <strong>Multi-environment setup</strong> (dev/staging/prod)<br> ✅ <strong>Secure HTTPS</strong> with automatic certificates<br> ✅ <strong>Single-command deployment</strong> that just works<br> ✅ <strong>Production-ready practices</strong> and security</p> <p>This isn't just a tutorial project - this is <strong>real infrastructure</strong> that follows industry best practices. You can use this as a foundation for actual production applications.</p> <h3> Key Takeaways </h3> <ol> <li> <strong>Infrastructure as Code</strong> saves time and prevents mistakes</li> <li> <strong>Automation</strong> is your friend - manual processes break</li> <li> <strong>Security</strong> isn't optional - build it in from the start</li> <li> <strong>Testing</strong> in dev/staging prevents production disasters</li> <li> <strong>Documentation</strong> (this blog post!) helps you and others</li> </ol> <h3> Next Steps </h3> <ol> <li> <strong>Deploy your own project</strong> using this as a template</li> <li> <strong>Experiment</strong> - break things in dev, learn from it</li> <li> <strong>Share</strong> - help others learn what you've learned</li> <li> <strong>Iterate</strong> - improve based on real-world experience</li> </ol> <h3> Resources </h3> <ul> <li><a href="https://www.terraform.io/docs" rel="noopener noreferrer">Terraform Documentation</a></li> <li><a href="https://docs.ansible.com/" rel="noopener noreferrer">Ansible Documentation</a></li> <li><a href="https://doc.traefik.io/traefik/" rel="noopener noreferrer">Traefik Documentation</a></li> <li><a href="https://docs.github.com/en/actions" rel="noopener noreferrer">GitHub Actions Documentation</a></li> <li><a href="https://aws.amazon.com/architecture/well-architected/" rel="noopener noreferrer">AWS Well-Architected Framework</a></li> </ul> <p><strong>Thank you for reading!</strong> If this helped you, please share it with others who might benefit. And if you have questions or run into issues, don't hesitate to reach out.</p> <p>Happy deploying! 🚀</p> <p><em>This guide was written as part of the HNG Internship Stage 6 DevOps task. The complete implementation is available on <a href="https://github.com/Donkross360/DevOps-Stage-6" rel="noopener noreferrer">GitHub</a>.</em></p> devops cicd terraform tutorial Building Your Own Virtual Private Cloud (VPC) on Linux: A Complete Beginner's Guide Mart Young Mon, 10 Nov 2025 10:06:31 +0000 https://dev.to/mart_young_ce778e4c31eb33/building-your-own-virtual-private-cloud-vpc-on-linux-a-complete-beginners-guide-1pnj https://dev.to/mart_young_ce778e4c31eb33/building-your-own-virtual-private-cloud-vpc-on-linux-a-complete-beginners-guide-1pnj <h2> Introduction </h2> <p>Have you ever wondered how cloud providers like AWS, Google Cloud, or Azure create isolated virtual networks? How do they ensure that your resources are completely isolated from others while still allowing controlled communication?</p> <p>In this comprehensive guide, we'll build our own Virtual Private Cloud (VPC) from scratch on Linux using nothing but native Linux networking tools. By the end of this journey, you'll understand the fundamental building blocks of network virtualization and have a working VPC implementation that you can use for learning, testing, or even production workloads.</p> <h3> What You'll Learn </h3> <ul> <li>How to create isolated virtual networks using Linux network namespaces</li> <li>How to connect networks using Linux bridges and virtual Ethernet pairs</li> <li>How to implement routing between subnets</li> <li>How to enable internet access using NAT (Network Address Translation)</li> <li>How to enforce network isolation between different VPCs</li> <li>How to connect VPCs using peering</li> <li>How to implement firewall rules (Security Groups)</li> <li>How to automate VPC management using <code>vpcctl</code> CLI tool</li> </ul> <h3> Our Approach: Learn by Doing, Then Automate </h3> <p>This guide follows a two-part approach:</p> <ol> <li><p><strong>Manual Implementation</strong> (Parts 1-10): We'll build VPCs manually using Linux commands. This helps you understand exactly what's happening under the hood.</p></li> <li><p><strong>Automation with vpcctl</strong> (Part 11): Once you understand the fundamentals, we'll introduce <code>vpcctl</code>, a CLI tool that automates all the manual steps. This is what you'll use in practice!</p></li> </ol> <h3> What is vpcctl? </h3> <p><code>vpcctl</code> is a command-line tool written in Python that automates VPC creation and management. Instead of running dozens of commands manually, you can create a VPC with a single command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Manual way (what we'll learn first)</span> <span class="nb">sudo </span>ip netns add my-ns <span class="nb">sudo </span>ip <span class="nb">link </span>add veth0 <span class="nb">type </span>veth peer name veth1 <span class="c"># ... many more commands ...</span> <span class="c"># Automated way (using vpcctl)</span> <span class="nb">sudo</span> ./vpcctl create <span class="nt">--name</span> myvpc <span class="nt">--cidr</span> 10.0.0.0/16 <span class="nb">sudo</span> ./vpcctl add-subnet <span class="nt">--vpc</span> myvpc <span class="nt">--name</span> public <span class="nt">--cidr</span> 10.0.1.0/24 <span class="nt">--type</span> public </code></pre> </div> <p>Don't worry - we'll get to <code>vpcctl</code> after you understand the fundamentals!</p> <h3> Prerequisites </h3> <p>Before we begin, you'll need:</p> <ul> <li>A Linux system (Ubuntu 20.04+, Debian, or Pop!_OS recommended)</li> <li>Root or sudo access</li> <li>Basic familiarity with the command line</li> <li>Git (to clone the repository)</li> <li>Python 3.6 or higher (for vpcctl)</li> <li>Curiosity and patience! 🚀</li> </ul> <h3> Tools We'll Use </h3> <p>All the tools we'll use are built into Linux:</p> <ul> <li> <strong><code>ip</code></strong> - Modern Linux networking tool</li> <li> <strong><code>brctl</code></strong> - Bridge control utility</li> <li> <strong><code>iptables</code></strong> - Firewall and NAT tool</li> <li> <strong><code>ping</code></strong> - Network connectivity testing</li> <li> <strong><code>curl</code></strong> - HTTP client for testing web servers</li> <li> <strong><code>vpcctl</code></strong> - Our automation tool (we'll get this from the repository)</li> </ul> <p>Let's get started!</p> <h2> Part 1: Understanding the Building Blocks </h2> <h3> What is a VPC? </h3> <p>A Virtual Private Cloud (VPC) is essentially a virtual network that you can use to isolate your resources. Think of it like creating a private room in a shared building - you have your own space with controlled access points.</p> <p>In our implementation:</p> <ul> <li> <strong>VPC</strong> = A virtual network with its own IP address range</li> <li> <strong>Subnet</strong> = A smaller network within the VPC (like a room within the private space)</li> <li> <strong>Bridge</strong> = A virtual router that connects subnets</li> <li> <strong>Namespace</strong> = An isolated network environment (like a separate room)</li> </ul> <h3> The Linux Primitives </h3> <p>Before we dive in, let's understand the Linux networking primitives we'll be using:</p> <ol> <li> <strong>Network Namespaces</strong>: Isolated network environments - think of them as separate computers on the same physical machine</li> <li> <strong>veth Pairs</strong>: Virtual Ethernet cables - they come in pairs, like a cable with two ends</li> <li> <strong>Linux Bridges</strong>: Virtual switches that connect multiple networks</li> <li> <strong>Routing Tables</strong>: Maps that tell packets where to go</li> <li> <strong>iptables</strong>: Firewall and NAT rules</li> </ol> <p>Don't worry if this sounds complex - we'll learn by doing!</p> <h2> Part 2: Setting Up Your Environment </h2> <h3> Step 1: Clone the Repository </h3> <p>First, let's get the project code which includes the <code>vpcctl</code> tool and example scripts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Clone the repository</span> git clone https://github.com/Donkross360/vpc-project.git <span class="nb">cd </span>vpc-project <span class="c"># Alternatively, if you prefer to download:</span> <span class="c"># wget https://github.com/Donkross360/vpc-project/archive/main.zip</span> <span class="c"># unzip main.zip</span> <span class="c"># cd vpc-project-main</span> </code></pre> </div> <p>The repository contains:</p> <ul> <li> <code>vpcctl</code> - The CLI tool for automating VPC management (Python script)</li> <li> <code>examples/</code> - Example scripts and a demo web application</li> <li> <code>README.md</code> - Complete documentation</li> <li> <code>Makefile</code> - Automation for common tasks</li> <li> <code>cleanup.sh</code> - Script to clean up all VPC resources</li> <li> <code>policies/</code> - Example firewall policy files</li> </ul> <h3> Step 2: Install Required Tools </h3> <p>Now, let's make sure we have all the necessary tools installed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Update package list</span> <span class="nb">sudo </span>apt-get update <span class="c"># Install required tools</span> <span class="nb">sudo </span>apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="se">\</span> iproute2 <span class="se">\</span> bridge-utils <span class="se">\</span> iptables <span class="se">\</span> python3 <span class="se">\</span> curl <span class="se">\</span> git <span class="c"># Make vpcctl executable</span> <span class="nb">chmod</span> +x vpcctl </code></pre> </div> <h3> Step 3: Quick Start with vpcctl (Optional) </h3> <p>Want to see <code>vpcctl</code> in action right away? You can skip ahead to Part 11, or follow along manually to understand how it works. For now, here's a quick preview:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a VPC with one command</span> <span class="nb">sudo</span> ./vpcctl create <span class="nt">--name</span> demo-vpc <span class="nt">--cidr</span> 10.0.0.0/16 <span class="c"># Add a public subnet</span> <span class="nb">sudo</span> ./vpcctl add-subnet <span class="nt">--vpc</span> demo-vpc <span class="nt">--name</span> public <span class="nt">--cidr</span> 10.0.1.0/24 <span class="nt">--type</span> public <span class="c"># List all VPCs</span> <span class="nb">sudo</span> ./vpcctl list <span class="c"># View VPC details</span> <span class="nb">sudo</span> ./vpcctl show demo-vpc </code></pre> </div> <p>But wait! Before we automate, let's understand what's happening under the hood by building manually first.</p> <h3> Step 4: Enable IP Forwarding </h3> <p>IP forwarding allows Linux to act as a router, forwarding packets between networks. This is essential for our VPC to work:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Enable IP forwarding temporarily</span> <span class="nb">sudo </span>sysctl <span class="nt">-w</span> net.ipv4.ip_forward<span class="o">=</span>1 <span class="c"># Make it permanent (so it survives reboots)</span> <span class="nb">echo</span> <span class="s2">"net.ipv4.ip_forward=1"</span> | <span class="nb">sudo tee</span> <span class="nt">-a</span> /etc/sysctl.conf </code></pre> </div> <p><strong>What this does</strong>: This tells the Linux kernel to forward IP packets between network interfaces, which is necessary for routing traffic between our virtual networks.</p> <h3> Step 5: Identify Your Internet Interface </h3> <p>We need to know which network interface connects your machine to the internet. This will be used for NAT (Network Address Translation) later:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Find your default internet interface</span> <span class="nv">DEFAULT_INTERFACE</span><span class="o">=</span><span class="si">$(</span>ip route show default | <span class="nb">awk</span> <span class="s1">'/default/ {print $5}'</span> | <span class="nb">head</span> <span class="nt">-1</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">"Internet interface: </span><span class="nv">$DEFAULT_INTERFACE</span><span class="s2">"</span> <span class="c"># Verify the interface exists and is UP</span> ip <span class="nb">link </span>show <span class="nv">$DEFAULT_INTERFACE</span> </code></pre> </div> <p><strong>Expected output</strong>: You should see something like <code>enp0s25</code> or <code>eth0</code> or <code>wlan0</code>. This is your connection to the outside world.</p> <p><strong>Note</strong>: Modern Linux systems use "predictable naming" like <code>enp0s25</code> instead of the traditional <code>eth0</code>. This is normal and expected!</p> <h2> Part 3: Creating Your First Network Namespace </h2> <h3> Understanding Namespaces </h3> <p>A network namespace is like a separate computer with its own network stack. It has its own:</p> <ul> <li>Network interfaces</li> <li>IP addresses</li> <li>Routing tables</li> <li>Firewall rules</li> </ul> <p>Let's create our first namespace to see how it works:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a network namespace</span> <span class="nb">sudo </span>ip netns add test-ns-1 <span class="c"># List all namespaces</span> <span class="nb">sudo </span>ip netns list <span class="c"># Verify the namespace was created</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>test-ns-1 ip <span class="nb">link </span>show </code></pre> </div> <p><strong>What you'll see</strong>: The namespace only has a <code>lo</code> (loopback) interface, which is like a network interface that points back to itself. It's completely isolated from your host system!</p> <h3> Bringing Up the Loopback Interface </h3> <p>Even though the namespace has a loopback interface, it's not active by default. Let's bring it up:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Bring up the loopback interface in the namespace</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>test-ns-1 ip <span class="nb">link set </span>lo up <span class="c"># Verify it's up</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>test-ns-1 ip <span class="nb">link </span>show lo </code></pre> </div> <p><strong>Success indicator</strong>: You should see <code>state UNKNOWN</code> or <code>state UP</code> instead of <code>state DOWN</code>.</p> <h2> Part 4: Creating Virtual Ethernet Pairs </h2> <h3> What are veth Pairs? </h3> <p>A veth (virtual Ethernet) pair is like a virtual network cable with two ends. Whatever you send into one end comes out the other end. We use these to connect namespaces to the host or to bridges.</p> <p>Let's create our first veth pair:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a veth pair</span> <span class="nb">sudo </span>ip <span class="nb">link </span>add veth-host <span class="nb">type </span>veth peer name veth-ns <span class="c"># Verify both ends were created</span> ip <span class="nb">link </span>show <span class="nb">type </span>veth </code></pre> </div> <p><strong>What you'll see</strong>: Two interfaces - <code>veth-host</code> and <code>veth-ns</code>. They're connected like two ends of a cable.</p> <h3> Moving One End to a Namespace </h3> <p>Now let's move one end into our namespace. This creates a connection between the host and the namespace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a namespace for testing</span> <span class="nb">sudo </span>ip netns add test-ns-2 <span class="c"># Move veth-ns to the namespace</span> <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-ns netns test-ns-2 <span class="c"># Verify veth-ns is now in the namespace</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>test-ns-2 ip <span class="nb">link </span>show <span class="c"># Verify veth-host is still on the host</span> ip <span class="nb">link </span>show veth-host </code></pre> </div> <p><strong>What happened</strong>: </p> <ul> <li> <code>veth-ns</code> is now inside <code>test-ns-2</code> and no longer visible on the host</li> <li> <code>veth-host</code> is still on the host</li> <li>They're still connected - data sent through one end will come out the other!</li> </ul> <h3> Assigning IP Addresses </h3> <p>Now let's give both ends IP addresses so they can communicate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Assign IP to host side</span> <span class="nb">sudo </span>ip addr add 10.0.1.1/24 dev veth-host <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-host up <span class="c"># Assign IP to namespace side</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>test-ns-2 ip addr add 10.0.1.10/24 dev veth-ns <span class="nb">sudo </span>ip netns <span class="nb">exec </span>test-ns-2 ip <span class="nb">link set </span>veth-ns up <span class="c"># Bring up loopback in namespace</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>test-ns-2 ip <span class="nb">link set </span>lo up </code></pre> </div> <p><strong>Understanding the IP addresses</strong>:</p> <ul> <li> <code>10.0.1.1/24</code> means IP address <code>10.0.1.1</code> with subnet mask <code>255.255.255.0</code> </li> <li>The <code>/24</code> means the first 24 bits are the network part</li> <li> <code>10.0.1.0/24</code> is the network, <code>10.0.1.1</code> and <code>10.0.1.10</code> are hosts in that network</li> </ul> <h3> Testing Connectivity </h3> <p>Let's test if the host and namespace can communicate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Ping from host to namespace</span> ping <span class="nt">-c</span> 2 10.0.1.10 <span class="c"># Ping from namespace to host</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>test-ns-2 ping <span class="nt">-c</span> 2 10.0.1.1 </code></pre> </div> <p><strong>Success!</strong> If both pings work, you've successfully created your first virtual network connection! 🎉</p> <h3> Cleanup </h3> <p>Let's clean up before moving on:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Bring interfaces down</span> <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-host down <span class="nb">sudo </span>ip <span class="nb">link </span>delete veth-host <span class="c"># Delete namespace (this also removes veth-ns)</span> <span class="nb">sudo </span>ip netns delete test-ns-2 <span class="nb">sudo </span>ip netns delete test-ns-1 </code></pre> </div> <h2> Part 5: Creating a Linux Bridge (Your First Router) </h2> <h3> What is a Linux Bridge? </h3> <p>A Linux bridge is like a virtual network switch. It can connect multiple network interfaces and forward traffic between them. In our VPC, the bridge will act as a router, connecting multiple subnets.</p> <p>Let's create our first bridge:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a bridge</span> <span class="nb">sudo </span>ip <span class="nb">link </span>add br-test <span class="nb">type </span>bridge <span class="c"># Bring it up</span> <span class="nb">sudo </span>ip <span class="nb">link set </span>br-test up <span class="c"># Verify it was created</span> ip <span class="nb">link </span>show br-test </code></pre> </div> <h3> Connecting a Namespace to the Bridge </h3> <p>Now let's connect a namespace to our bridge using a veth pair:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create namespace</span> <span class="nb">sudo </span>ip netns add test-ns-3 <span class="c"># Create veth pair</span> <span class="nb">sudo </span>ip <span class="nb">link </span>add veth-br-host <span class="nb">type </span>veth peer name veth-br-ns <span class="c"># Move namespace end to namespace</span> <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-br-ns netns test-ns-3 <span class="c"># Connect host end to bridge (IMPORTANT: Do this before bringing it up!)</span> <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-br-host master br-test <span class="c"># Bring host end up</span> <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-br-host up <span class="c"># Configure namespace</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>test-ns-3 ip <span class="nb">link set </span>lo up <span class="nb">sudo </span>ip netns <span class="nb">exec </span>test-ns-3 ip addr add 10.0.1.10/24 dev veth-br-ns <span class="nb">sudo </span>ip netns <span class="nb">exec </span>test-ns-3 ip <span class="nb">link set </span>veth-br-ns up <span class="c"># Assign IP to bridge (this acts as the gateway)</span> <span class="nb">sudo </span>ip addr add 10.0.1.1/24 dev br-test </code></pre> </div> <p><strong>Key points</strong>:</p> <ul> <li>The bridge IP (<code>10.0.1.1</code>) acts as the gateway for the namespace</li> <li>The namespace and bridge must be in the same subnet (<code>10.0.1.0/24</code>)</li> <li>We attach the veth to the bridge BEFORE bringing it up</li> </ul> <h3> Adding a Default Route </h3> <p>The namespace needs to know where to send packets that aren't in its local network. Let's add a default route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Add default route in namespace (points to bridge as gateway)</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>test-ns-3 ip route add default via 10.0.1.1 dev veth-br-ns <span class="c"># Verify the route</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>test-ns-3 ip route show </code></pre> </div> <h3> Testing Connectivity </h3> <p>Let's test if the namespace can reach the bridge:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Ping bridge from namespace</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>test-ns-3 ping <span class="nt">-c</span> 2 10.0.1.1 <span class="c"># Verify bridge sees the connection</span> brctl show br-test </code></pre> </div> <p><strong>Expected output</strong>: The bridge should show <code>veth-br-host</code> as a connected interface, and the ping should succeed!</p> <h3> Connecting Multiple Namespaces </h3> <p>Now let's add a second namespace to the same bridge to create a small network:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create second namespace</span> <span class="nb">sudo </span>ip netns add test-ns-4 <span class="c"># Create second veth pair</span> <span class="nb">sudo </span>ip <span class="nb">link </span>add veth-br-host-2 <span class="nb">type </span>veth peer name veth-br-ns-2 <span class="c"># Move namespace end to namespace</span> <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-br-ns-2 netns test-ns-4 <span class="c"># Connect to bridge</span> <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-br-host-2 master br-test <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-br-host-2 up <span class="c"># Configure second namespace</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>test-ns-4 ip <span class="nb">link set </span>lo up <span class="nb">sudo </span>ip netns <span class="nb">exec </span>test-ns-4 ip addr add 10.0.1.20/24 dev veth-br-ns-2 <span class="nb">sudo </span>ip netns <span class="nb">exec </span>test-ns-4 ip <span class="nb">link set </span>veth-br-ns-2 up <span class="nb">sudo </span>ip netns <span class="nb">exec </span>test-ns-4 ip route add default via 10.0.1.1 dev veth-br-ns-2 <span class="c"># Test connectivity between namespaces</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>test-ns-3 ping <span class="nt">-c</span> 2 10.0.1.20 <span class="nb">sudo </span>ip netns <span class="nb">exec </span>test-ns-4 ping <span class="nt">-c</span> 2 10.0.1.10 </code></pre> </div> <p><strong>Success!</strong> Both namespaces can now communicate with each other through the bridge! This is the foundation of our VPC.</p> <h2> Part 6: Building Your First VPC </h2> <h3> Understanding VPC Structure </h3> <p>A VPC consists of:</p> <ol> <li> <strong>A bridge</strong> that acts as the VPC router</li> <li> <strong>Multiple subnets</strong> (network namespaces)</li> <li> <strong>veth pairs</strong> connecting subnets to the bridge</li> <li> <strong>Routing tables</strong> directing traffic</li> <li> <strong>NAT rules</strong> for internet access (for public subnets)</li> </ol> <p>Let's build a complete VPC with public and private subnets!</p> <h3> Step 1: Create the VPC Bridge </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create VPC bridge</span> <span class="nb">sudo </span>ip <span class="nb">link </span>add br-vpc1 <span class="nb">type </span>bridge <span class="nb">sudo </span>ip <span class="nb">link set </span>br-vpc1 up <span class="c"># Assign bridge IP addresses for each subnet</span> <span class="c"># The bridge needs an IP in each subnet to act as the gateway</span> <span class="nb">sudo </span>ip addr add 10.0.1.1/24 dev br-vpc1 <span class="c"># Gateway for public subnet</span> <span class="nb">sudo </span>ip addr add 10.0.2.1/24 dev br-vpc1 <span class="c"># Gateway for private subnet</span> <span class="nb">sudo </span>ip addr add 10.0.0.1/16 dev br-vpc1 <span class="c"># VPC router IP (optional)</span> </code></pre> </div> <p><strong>Why multiple IPs?</strong> The bridge needs to be in the same subnet as each namespace it serves as a gateway for. This allows the namespaces to reach the gateway using ARP (Address Resolution Protocol).</p> <h3> Step 2: Create Public Subnet </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create public subnet namespace</span> <span class="nb">sudo </span>ip netns add ns-vpc1-public <span class="c"># Create veth pair for public subnet</span> <span class="c"># Note: Interface names must be 15 characters or less (Linux limit)</span> <span class="nb">sudo </span>ip <span class="nb">link </span>add veth-vpc1-pub-h <span class="nb">type </span>veth peer name veth-vpc1-pub-n <span class="c"># Move namespace end to namespace</span> <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-vpc1-pub-n netns ns-vpc1-public <span class="c"># Connect host end to bridge</span> <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-vpc1-pub-h master br-vpc1 <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-vpc1-pub-h up <span class="c"># Configure public subnet</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-public ip <span class="nb">link set </span>lo up <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-public ip addr add 10.0.1.10/24 dev veth-vpc1-pub-n <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-public ip <span class="nb">link set </span>veth-vpc1-pub-n up <span class="c"># Add routes</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-public ip route add default via 10.0.1.1 dev veth-vpc1-pub-n <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-public ip route add 10.0.2.0/24 via 10.0.1.1 dev veth-vpc1-pub-n </code></pre> </div> <h3> Step 3: Create Private Subnet </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create private subnet namespace</span> <span class="nb">sudo </span>ip netns add ns-vpc1-private <span class="c"># Create veth pair for private subnet</span> <span class="nb">sudo </span>ip <span class="nb">link </span>add veth-vpc1-prv-h <span class="nb">type </span>veth peer name veth-vpc1-prv-n <span class="c"># Move namespace end to namespace</span> <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-vpc1-prv-n netns ns-vpc1-private <span class="c"># Connect host end to bridge</span> <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-vpc1-prv-h master br-vpc1 <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-vpc1-prv-h up <span class="c"># Configure private subnet</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-private ip <span class="nb">link set </span>lo up <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-private ip addr add 10.0.2.10/24 dev veth-vpc1-prv-n <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-private ip <span class="nb">link set </span>veth-vpc1-prv-n up <span class="c"># Add routes</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-private ip route add default via 10.0.2.1 dev veth-vpc1-prv-n <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-private ip route add 10.0.1.0/24 via 10.0.2.1 dev veth-vpc1-prv-n </code></pre> </div> <h3> Step 4: Enable Proxy ARP </h3> <p>Proxy ARP allows the bridge to respond to ARP requests for IP addresses in different subnets. This is essential for inter-subnet routing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Enable proxy ARP on bridge and veth interfaces</span> <span class="nb">sudo </span>sysctl <span class="nt">-w</span> net.ipv4.conf.br-vpc1.proxy_arp<span class="o">=</span>1 <span class="nb">sudo </span>sysctl <span class="nt">-w</span> net.ipv4.conf.veth-vpc1-pub-h.proxy_arp<span class="o">=</span>1 <span class="nb">sudo </span>sysctl <span class="nt">-w</span> net.ipv4.conf.veth-vpc1-prv-h.proxy_arp<span class="o">=</span>1 </code></pre> </div> <p><strong>What is Proxy ARP?</strong> Normally, a device only responds to ARP requests for IPs on its own interface. Proxy ARP allows the bridge to respond for IPs in connected subnets, enabling routing.</p> <h3> Step 5: Test Inter-Subnet Communication </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test: public to private</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-public ping <span class="nt">-c</span> 2 10.0.2.10 <span class="c"># Test: private to public</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-private ping <span class="nt">-c</span> 2 10.0.1.10 </code></pre> </div> <p><strong>Success!</strong> Your subnets can now communicate with each other! 🎉</p> <h2> Part 7: Enabling Internet Access with NAT </h2> <h3> Understanding NAT </h3> <p>Network Address Translation (NAT) allows private IP addresses to access the internet by translating them to a public IP address. This is how your home router works!</p> <h3> Step 1: Enable NAT for Public Subnet </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Get your internet interface (we identified this earlier)</span> <span class="nv">DEFAULT_INTERFACE</span><span class="o">=</span><span class="si">$(</span>ip route show default | <span class="nb">awk</span> <span class="s1">'/default/ {print $5}'</span> | <span class="nb">head</span> <span class="nt">-1</span><span class="si">)</span> <span class="c"># Add NAT rule for public subnet</span> <span class="nb">sudo </span>iptables <span class="nt">-t</span> nat <span class="nt">-A</span> POSTROUTING <span class="nt">-s</span> 10.0.1.0/24 <span class="nt">-o</span> <span class="nv">$DEFAULT_INTERFACE</span> <span class="nt">-j</span> MASQUERADE <span class="c"># Verify the rule</span> <span class="nb">sudo </span>iptables <span class="nt">-t</span> nat <span class="nt">-L</span> POSTROUTING <span class="nt">-n</span> <span class="nt">-v</span> </code></pre> </div> <p><strong>What this does</strong>: </p> <ul> <li> <code>-s 10.0.1.0/24</code> - Source is the public subnet</li> <li> <code>-o $DEFAULT_INTERFACE</code> - Outgoing interface is your internet connection</li> <li> <code>-j MASQUERADE</code> - Masquerade (NAT) the traffic</li> </ul> <h3> Step 2: Configure DNS </h3> <p>Namespaces need DNS to resolve domain names:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create DNS configuration for namespace</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> /etc/netns/ns-vpc1-public <span class="nb">echo</span> <span class="s2">"nameserver 8.8.8.8"</span> | <span class="nb">sudo tee</span> /etc/netns/ns-vpc1-public/resolv.conf <span class="nb">echo</span> <span class="s2">"nameserver 8.8.4.4"</span> | <span class="nb">sudo tee</span> <span class="nt">-a</span> /etc/netns/ns-vpc1-public/resolv.conf </code></pre> </div> <h3> Step 3: Test Internet Access </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test: ping Google's DNS</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-public ping <span class="nt">-c</span> 2 8.8.8.8 <span class="c"># Test: ping Google by domain name</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-public ping <span class="nt">-c</span> 2 google.com </code></pre> </div> <p><strong>Success!</strong> Your public subnet can now access the internet! 🌐</p> <h3> Step 4: Verify Private Subnet Isolation </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Private subnet should NOT be able to access internet (no NAT)</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-private ping <span class="nt">-c</span> 2 8.8.8.8 </code></pre> </div> <p><strong>Expected result</strong>: The ping should fail or timeout. This is correct - private subnets don't have NAT, so they can't access the internet directly.</p> <h2> Part 8: Creating Multiple VPCs and Enforcing Isolation </h2> <h3> Creating a Second VPC </h3> <p>Let's create a second VPC to demonstrate isolation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create second VPC bridge</span> <span class="nb">sudo </span>ip <span class="nb">link </span>add br-vpc2 <span class="nb">type </span>bridge <span class="nb">sudo </span>ip <span class="nb">link set </span>br-vpc2 up <span class="c"># Assign bridge IPs</span> <span class="nb">sudo </span>ip addr add 172.16.1.1/24 dev br-vpc2 <span class="c"># Gateway for public subnet</span> <span class="nb">sudo </span>ip addr add 172.16.2.1/24 dev br-vpc2 <span class="c"># Gateway for private subnet</span> <span class="nb">sudo </span>ip addr add 172.16.0.1/16 dev br-vpc2 <span class="c"># VPC router IP</span> <span class="c"># Create public subnet for VPC2</span> <span class="nb">sudo </span>ip netns add ns-vpc2-public <span class="nb">sudo </span>ip <span class="nb">link </span>add veth-vpc2-pub-h <span class="nb">type </span>veth peer name veth-vpc2-pub-n <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-vpc2-pub-n netns ns-vpc2-public <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-vpc2-pub-h master br-vpc2 <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-vpc2-pub-h up <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc2-public ip <span class="nb">link set </span>lo up <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc2-public ip addr add 172.16.1.10/24 dev veth-vpc2-pub-n <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc2-public ip <span class="nb">link set </span>veth-vpc2-pub-n up <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc2-public ip route add default via 172.16.1.1 dev veth-vpc2-pub-n <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc2-public ip route add 172.16.2.0/24 via 172.16.1.1 dev veth-vpc2-pub-n <span class="c"># Create private subnet for VPC2</span> <span class="nb">sudo </span>ip netns add ns-vpc2-private <span class="nb">sudo </span>ip <span class="nb">link </span>add veth-vpc2-prv-h <span class="nb">type </span>veth peer name veth-vpc2-prv-n <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-vpc2-prv-n netns ns-vpc2-private <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-vpc2-prv-h master br-vpc2 <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-vpc2-prv-h up <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc2-private ip <span class="nb">link set </span>lo up <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc2-private ip addr add 172.16.2.10/24 dev veth-vpc2-prv-n <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc2-private ip <span class="nb">link set </span>veth-vpc2-prv-n up <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc2-private ip route add default via 172.16.2.1 dev veth-vpc2-prv-n <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc2-private ip route add 172.16.1.0/24 via 172.16.2.1 dev veth-vpc2-prv-n <span class="c"># Enable proxy ARP</span> <span class="nb">sudo </span>sysctl <span class="nt">-w</span> net.ipv4.conf.br-vpc2.proxy_arp<span class="o">=</span>1 <span class="nb">sudo </span>sysctl <span class="nt">-w</span> net.ipv4.conf.veth-vpc2-pub-h.proxy_arp<span class="o">=</span>1 <span class="nb">sudo </span>sysctl <span class="nt">-w</span> net.ipv4.conf.veth-vpc2-prv-h.proxy_arp<span class="o">=</span>1 <span class="c"># Add NAT for VPC2 public subnet</span> <span class="nv">DEFAULT_INTERFACE</span><span class="o">=</span><span class="si">$(</span>ip route show default | <span class="nb">awk</span> <span class="s1">'/default/ {print $5}'</span> | <span class="nb">head</span> <span class="nt">-1</span><span class="si">)</span> <span class="nb">sudo </span>iptables <span class="nt">-t</span> nat <span class="nt">-A</span> POSTROUTING <span class="nt">-s</span> 172.16.1.0/24 <span class="nt">-o</span> <span class="nv">$DEFAULT_INTERFACE</span> <span class="nt">-j</span> MASQUERADE <span class="c"># Configure DNS</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> /etc/netns/ns-vpc2-public <span class="nb">echo</span> <span class="s2">"nameserver 8.8.8.8"</span> | <span class="nb">sudo tee</span> /etc/netns/ns-vpc2-public/resolv.conf <span class="nb">echo</span> <span class="s2">"nameserver 8.8.4.4"</span> | <span class="nb">sudo tee</span> <span class="nt">-a</span> /etc/netns/ns-vpc2-public/resolv.conf </code></pre> </div> <h3> Enforcing VPC Isolation </h3> <p>By default, Linux might route traffic between VPCs. We need to explicitly block this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Block traffic between VPC1 and VPC2</span> <span class="nb">sudo </span>iptables <span class="nt">-A</span> FORWARD <span class="nt">-s</span> 10.0.0.0/16 <span class="nt">-d</span> 172.16.0.0/16 <span class="nt">-j</span> DROP <span class="nb">sudo </span>iptables <span class="nt">-A</span> FORWARD <span class="nt">-s</span> 172.16.0.0/16 <span class="nt">-d</span> 10.0.0.0/16 <span class="nt">-j</span> DROP <span class="c"># Verify isolation</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-public ping <span class="nt">-c</span> 2 172.16.1.10 </code></pre> </div> <p><strong>Expected result</strong>: The ping should fail! VPCs are now isolated from each other. 🔒</p> <h2> Part 9: VPC Peering (Connecting VPCs) </h2> <h3> What is VPC Peering? </h3> <p>VPC peering allows you to connect two VPCs so they can communicate with each other. This is useful when you want controlled communication between different environments.</p> <h3> Step 1: Create Peering Connection </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create veth pair for peering</span> <span class="nb">sudo </span>ip <span class="nb">link </span>add veth-peer-1 <span class="nb">type </span>veth peer name veth-peer-2 <span class="c"># Connect one end to VPC1 bridge</span> <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-peer-1 master br-vpc1 <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-peer-1 up <span class="c"># Use a shared /30 subnet for peering (192.168.255.0/30)</span> <span class="nb">sudo </span>ip addr add 192.168.255.1/30 dev veth-peer-1 <span class="c"># Connect other end to VPC2 bridge</span> <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-peer-2 master br-vpc2 <span class="nb">sudo </span>ip <span class="nb">link set </span>veth-peer-2 up <span class="c"># Same subnet - this is the peer IP</span> <span class="nb">sudo </span>ip addr add 192.168.255.2/30 dev veth-peer-2 </code></pre> </div> <p><strong>Why a /30 subnet?</strong> A /30 subnet provides exactly 2 usable IPs (<code>.1</code> and <code>.2</code>), perfect for a point-to-point link between two VPCs.</p> <h3> Step 2: Add Routes </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Add route on host to reach VPC2 through peering link</span> <span class="nb">sudo </span>ip route add 172.16.0.0/16 via 192.168.255.2 dev veth-peer-1 <span class="c"># Add route on host to reach VPC1 through peering link</span> <span class="nb">sudo </span>ip route add 10.0.0.0/16 via 192.168.255.1 dev veth-peer-2 <span class="c"># Remove isolation rules (peering should allow communication)</span> <span class="nb">sudo </span>iptables <span class="nt">-D</span> FORWARD <span class="nt">-s</span> 10.0.0.0/16 <span class="nt">-d</span> 172.16.0.0/16 <span class="nt">-j</span> DROP 2&gt;/dev/null <span class="o">||</span> <span class="nb">true sudo </span>iptables <span class="nt">-D</span> FORWARD <span class="nt">-s</span> 172.16.0.0/16 <span class="nt">-d</span> 10.0.0.0/16 <span class="nt">-j</span> DROP 2&gt;/dev/null <span class="o">||</span> <span class="nb">true</span> <span class="c"># Add routes in namespaces to reach the peer VPC</span> <span class="c"># In VPC1 namespaces, add route to VPC2</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-public ip route add 172.16.0.0/16 via 10.0.1.1 dev veth-vpc1-pub-n <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-private ip route add 172.16.0.0/16 via 10.0.2.1 dev veth-vpc1-prv-n <span class="c"># In VPC2 namespaces, add route to VPC1</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc2-public ip route add 10.0.0.0/16 via 172.16.1.1 dev veth-vpc2-pub-n <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc2-private ip route add 10.0.0.0/16 via 172.16.2.1 dev veth-vpc2-prv-n </code></pre> </div> <h3> Step 3: Test Peering </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test VPC1 to VPC2 connectivity</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-public ping <span class="nt">-c</span> 2 172.16.1.10 <span class="c"># Test VPC2 to VPC1 connectivity</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc2-public ping <span class="nt">-c</span> 2 10.0.1.10 </code></pre> </div> <p><strong>Success!</strong> VPCs can now communicate through peering! 🌉</p> <h2> Part 10: Implementing Firewall Rules (Security Groups) </h2> <h3> What are Security Groups? </h3> <p>Security Groups are firewall rules that control inbound and outbound traffic. In our implementation, we'll use iptables in each namespace to enforce these rules.</p> <h3> Step 1: Create a Firewall Policy </h3> <p>Create a JSON file with your firewall rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&gt;</span> firewall-policy.json <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> { "subnet": "10.0.1.0/24", "ingress": [ {"port": 80, "protocol": "tcp", "action": "allow"}, {"port": 443, "protocol": "tcp", "action": "allow"}, {"port": 22, "protocol": "tcp", "action": "deny"} ], "egress": [ {"port": 0, "protocol": "all", "action": "allow"} ] } </span><span class="no">EOF </span></code></pre> </div> <h3> Step 2: Apply Firewall Rules </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Allow HTTP (port 80)</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-public iptables <span class="nt">-A</span> INPUT <span class="nt">-p</span> tcp <span class="nt">--dport</span> 80 <span class="nt">-j</span> ACCEPT <span class="c"># Allow HTTPS (port 443)</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-public iptables <span class="nt">-A</span> INPUT <span class="nt">-p</span> tcp <span class="nt">--dport</span> 443 <span class="nt">-j</span> ACCEPT <span class="c"># Deny SSH (port 22)</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-public iptables <span class="nt">-A</span> INPUT <span class="nt">-p</span> tcp <span class="nt">--dport</span> 22 <span class="nt">-j</span> DROP <span class="c"># Allow established connections</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-public iptables <span class="nt">-A</span> INPUT <span class="nt">-m</span> state <span class="nt">--state</span> ESTABLISHED,RELATED <span class="nt">-j</span> ACCEPT <span class="c"># Allow loopback</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-public iptables <span class="nt">-A</span> INPUT <span class="nt">-i</span> lo <span class="nt">-j</span> ACCEPT <span class="c"># Set default policy to DROP</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-public iptables <span class="nt">-P</span> INPUT DROP </code></pre> </div> <h3> Step 3: Deploy a Web Server </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Deploy a simple HTTP server in the public subnet</span> <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-vpc1-public python3 <span class="nt">-m</span> http.server 80 &amp; <span class="c"># Test HTTP access (should work)</span> curl http://10.0.1.10:80 <span class="c"># Test SSH access (should be blocked)</span> nc <span class="nt">-zv</span> 10.0.1.10 22 </code></pre> </div> <p><strong>Expected results</strong>:</p> <ul> <li>HTTP works ✅</li> <li>SSH is blocked ❌</li> </ul> <h2> Part 11: Automating with vpcctl </h2> <h3> Why Automate? </h3> <p>By now, you've learned how to manually create VPCs using Linux commands. You've seen how namespaces, bridges, veth pairs, routing, and NAT all work together. This knowledge is invaluable!</p> <p>However, creating VPCs manually requires dozens of commands and is error-prone. That's where <code>vpcctl</code> comes in - it's a CLI tool that automates all the steps we've learned, making VPC management as simple as a single command.</p> <h3> Getting Started with vpcctl </h3> <p><strong>Important</strong>: Before using <code>vpcctl</code>, make sure you've cloned the repository as shown in Part 2, Step 1. The <code>vpcctl</code> tool is included in the repository.</p> <p>If you haven't done so already:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Clone the repository</span> git clone https://github.com/Donkross360/vpc-project.git <span class="nb">cd </span>vpc-project <span class="c"># Make vpcctl executable</span> <span class="nb">chmod</span> +x vpcctl <span class="c"># Verify it works</span> ./vpcctl <span class="nt">--help</span> </code></pre> </div> <h3> Understanding What vpcctl Does </h3> <p><code>vpcctl</code> is a Python CLI tool that automates everything we did manually:</p> <ul> <li> <strong>Creates VPCs</strong> - Sets up bridges with proper IP addresses</li> <li> <strong>Adds Subnets</strong> - Creates namespaces, veth pairs, and configures routing</li> <li> <strong>Enables NAT</strong> - Automatically configures NAT for public subnets</li> <li> <strong>Manages Peering</strong> - Creates VPC peering connections</li> <li> <strong>Applies Firewall Rules</strong> - Reads JSON policies and applies iptables rules</li> <li> <strong>Enforces Isolation</strong> - Ensures VPCs are isolated by default</li> <li> <strong>Maintains State</strong> - Tracks all VPCs in a JSON file</li> </ul> <h3> Basic Usage </h3> <p>Now that you understand how VPCs work manually, let's see how <code>vpcctl</code> simplifies everything:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a VPC (replaces all the manual bridge creation)</span> <span class="nb">sudo</span> ./vpcctl create <span class="nt">--name</span> myvpc <span class="nt">--cidr</span> 10.0.0.0/16 <span class="c"># Add a public subnet (replaces namespace, veth, routing setup)</span> <span class="nb">sudo</span> ./vpcctl add-subnet <span class="nt">--vpc</span> myvpc <span class="nt">--name</span> public <span class="nt">--cidr</span> 10.0.1.0/24 <span class="nt">--type</span> public <span class="c"># Add a private subnet</span> <span class="nb">sudo</span> ./vpcctl add-subnet <span class="nt">--vpc</span> myvpc <span class="nt">--name</span> private <span class="nt">--cidr</span> 10.0.2.0/24 <span class="nt">--type</span> private <span class="c"># List all VPCs</span> <span class="nb">sudo</span> ./vpcctl list <span class="c"># Show VPC details (namespace, IPs, etc.)</span> <span class="nb">sudo</span> ./vpcctl show myvpc <span class="c"># Apply firewall rules from a JSON policy</span> <span class="nb">sudo</span> ./vpcctl apply-firewall <span class="nt">--vpc</span> myvpc <span class="nt">--subnet</span> public <span class="nt">--policy</span> policies/public-subnet.json <span class="c"># Create VPC peering (connects two VPCs)</span> <span class="nb">sudo</span> ./vpcctl peer <span class="nt">--vpc1</span> myvpc <span class="nt">--vpc2</span> another-vpc <span class="c"># Deploy an application (using helper script)</span> ./examples/deploy-web-app.sh myvpc public 8000 <span class="c"># Delete a VPC (cleans up everything)</span> <span class="nb">sudo</span> ./vpcctl delete <span class="nt">--name</span> myvpc </code></pre> </div> <h3> Using the Makefile (Even Easier!) </h3> <p>The repository includes a <code>Makefile</code> that makes common tasks even simpler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># One command to set up everything and deploy a demo</span> make demo <span class="c"># Run comprehensive tests</span> make <span class="nb">test</span> <span class="c"># Clean up all VPCs</span> make clean <span class="c"># Show all available targets</span> make <span class="nb">help</span> </code></pre> </div> <p>The <code>make demo</code> command will:</p> <ol> <li>Set up IP forwarding</li> <li>Create a demo VPC</li> <li>Add a public subnet</li> <li>Deploy a web application</li> <li>Show you the URL to access it</li> </ol> <p>Try it out!</p> <h3> What vpcctl Does Under the Hood </h3> <p>Remember all those manual commands we ran? <code>vpcctl</code> does the same things automatically:</p> <p><strong>When you run <code>sudo ./vpcctl create --name myvpc --cidr 10.0.0.0/16</code>:</strong></p> <ul> <li>Creates a Linux bridge (<code>br-myvpc</code>)</li> <li>Assigns an IP address to the bridge</li> <li>Enables the bridge</li> <li>Stores VPC information in <code>.vpcctl/vpcs.json</code> </li> </ul> <p><strong>When you run <code>sudo ./vpcctl add-subnet --vpc myvpc --name public --cidr 10.0.1.0/24 --type public</code>:</strong></p> <ul> <li>Creates a network namespace (<code>ns-myvpc-public</code>)</li> <li>Creates a veth pair</li> <li>Moves one end into the namespace</li> <li>Connects the other end to the bridge</li> <li>Assigns IP addresses</li> <li>Configures routing tables</li> <li>Enables proxy ARP</li> <li>Sets up NAT (if public subnet)</li> <li>Configures DNS</li> </ul> <p>All of this happens automatically! 🎉</p> <h3> Benefits of Automation </h3> <ul> <li> <strong>Idempotent</strong>: Safe to run multiple times - won't create duplicates</li> <li> <strong>State management</strong>: Tracks VPCs in JSON file (<code>.vpcctl/vpcs.json</code>)</li> <li> <strong>Logging</strong>: All actions are logged to <code>.vpcctl/vpcctl.log</code> </li> <li> <strong>Error handling</strong>: Validates inputs and handles errors gracefully</li> <li> <strong>Consistent</strong>: Same results every time</li> <li> <strong>Fast</strong>: Creates VPCs in seconds instead of minutes</li> </ul> <h2> Part 12: Cleanup and Best Practices </h2> <h3> Cleaning Up </h3> <p>Always clean up your test resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Use the cleanup script</span> <span class="nb">sudo</span> ./cleanup.sh <span class="c"># Or manually delete VPCs</span> <span class="nb">sudo</span> ./vpcctl delete <span class="nt">--name</span> myvpc </code></pre> </div> <h3> Best Practices </h3> <ol> <li> <strong>Use descriptive names</strong>: Name your VPCs and subnets clearly</li> <li> <strong>Plan your IP ranges</strong>: Avoid overlapping CIDR blocks</li> <li> <strong>Test isolation</strong>: Always verify that VPCs are isolated</li> <li> <strong>Document your setup</strong>: Keep notes on your VPC configurations</li> <li> <strong>Clean up regularly</strong>: Remove unused VPCs to free resources</li> </ol> <h3> Common Pitfalls </h3> <ol> <li> <strong>Interface name length</strong>: Linux limits interface names to 15 characters</li> <li> <strong>Subnet mismatches</strong>: Gateway IP must be in the same subnet as the namespace</li> <li> <strong>Missing proxy ARP</strong>: Required for inter-subnet routing</li> <li> <strong>DNS configuration</strong>: Don't forget to configure DNS for public subnets</li> <li> <strong>NAT rules</strong>: Only public subnets need NAT rules</li> </ol> <h2> Conclusion </h2> <p>Congratulations! You've successfully built your own VPC from scratch! 🎉</p> <h3> What You've Accomplished </h3> <ul> <li>Created isolated virtual networks using Linux namespaces</li> <li>Connected networks using Linux bridges and veth pairs</li> <li>Implemented routing between subnets</li> <li>Enabled internet access using NAT</li> <li>Enforced VPC isolation</li> <li>Created VPC peering connections</li> <li>Implemented firewall rules</li> </ul> <h3> Next Steps </h3> <ol> <li> <strong>Experiment</strong>: Try creating more complex VPC topologies</li> <li> <strong>Automate</strong>: Use <code>vpcctl</code> to manage your VPCs</li> <li> <strong>Deploy applications</strong>: Run real applications in your VPCs</li> <li> <strong>Learn more</strong>: Explore advanced networking topics like BGP, VPNs, and load balancing</li> </ol> <h3> Resources </h3> <ul> <li> <strong>Repository</strong>: Clone the project from GitHub to get <code>vpcctl</code> and all examples</li> <li> <strong>README.md</strong>: Complete CLI documentation and usage examples</li> <li> <strong>Linux Networking Documentation</strong>: <a href="https://www.kernel.org/doc/Documentation/networking/" rel="noopener noreferrer">Official Linux networking docs</a> </li> <li> <strong>Makefile</strong>: Run <code>make help</code> to see all available automation targets</li> </ul> <h3> Final Thoughts </h3> <p>Building a VPC from scratch teaches you the fundamentals of network virtualization. The concepts you've learned here apply to cloud providers, container networking (Docker, Kubernetes), and virtualized environments.</p> <p>Remember: Understanding the fundamentals makes you a better engineer. Keep learning, keep building, and keep experimenting! 🚀</p> <p><strong>Happy VPC Building!</strong> 🌐</p> <p><em>If you found this guide helpful, please share it with others who might benefit from it!</em></p> networking beginners tutorial linux Creating Your First Isolated Linux Container with SSH Access: A Step-by-Step Guide Mart Young Thu, 27 Mar 2025 22:46:01 +0000 https://dev.to/mart_young_ce778e4c31eb33/creating-your-first-isolated-linux-container-with-ssh-access-a-step-by-step-guide-3j6h https://dev.to/mart_young_ce778e4c31eb33/creating-your-first-isolated-linux-container-with-ssh-access-a-step-by-step-guide-3j6h <h3> <strong>Introduction</strong> </h3> <p>Have you ever wondered how tools like Docker create isolated environments? In this guide, we’ll build a simple container from scratch using Linux namespaces. You’ll create a fully isolated environment with its own network and filesystem, then access it remotely via SSH or NSENTER. - No prior container experience needed!</p> <h3> <strong>What You’ll Learn</strong> </h3> <ol> <li>How Linux namespaces work </li> <li>Setting up a minimal container filesystem </li> <li>Configuring isolated networking </li> <li>Create a Custom cgroup</li> <li>Limit CPU Usage</li> <li>Startup a webserver &amp; host a simple webpage </li> <li>nsenter or SSH access with Dropbear (a lightweight SSH server) optional </li> </ol> <h3> <strong>Prerequisites</strong> </h3> <ul> <li>A Linux system (Ubuntu 24.04 used here) </li> <li> <code>sudo</code> access </li> <li>Basic terminal familiarity </li> <li>Internet connection </li> </ul> <h3> <strong>Step 1: The Complete Script</strong> </h3> <p>Here’s the full script we’ll be using. Don’t worry if it looks complex—we’ll break it down line by line!<br><br> Save this as <code>create-container.sh</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c"># setup_isolated_container_ssh.sh</span> <span class="c"># This script sets up a fully isolated container environment with its own network namespace using a veth pair,</span> <span class="c"># then chroots into a minimal filesystem and starts Dropbear SSH daemon and a BusyBox HTTP server.</span> <span class="nb">set</span> <span class="nt">-eo</span> pipefail <span class="c"># CONFIGURATION VARIABLES</span> <span class="nv">CONTAINER_ROOT</span><span class="o">=</span><span class="s2">"/opt/isolated_container"</span> <span class="nv">HOST_VETH</span><span class="o">=</span><span class="s2">"veth-host"</span> <span class="nv">CONTAINER_VETH</span><span class="o">=</span><span class="s2">"veth-container"</span> <span class="nv">HOST_IP</span><span class="o">=</span><span class="s2">"192.168.200.1/24"</span> <span class="nv">CONTAINER_IP</span><span class="o">=</span><span class="s2">"192.168.200.2/24"</span> <span class="nv">GATEWAY_IP</span><span class="o">=</span><span class="s2">"192.168.200.1"</span> <span class="nv">SSH_PORT</span><span class="o">=</span>22 <span class="nv">HTTP_PORT</span><span class="o">=</span>80 <span class="c"># Clean up any existing container filesystem</span> <span class="nb">rm</span> <span class="nt">-rf</span> <span class="s2">"</span><span class="k">${</span><span class="nv">CONTAINER_ROOT</span><span class="k">}</span><span class="s2">"</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="k">${</span><span class="nv">CONTAINER_ROOT</span><span class="k">}</span><span class="s2">"</span>/<span class="o">{</span>bin,etc/dropbear,proc,dev,www<span class="o">}</span> <span class="c"># Create device nodes (if not already present)</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-e</span> <span class="s2">"</span><span class="k">${</span><span class="nv">CONTAINER_ROOT</span><span class="k">}</span><span class="s2">/dev/null"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">mknod</span> <span class="nt">-m</span> 666 <span class="s2">"</span><span class="k">${</span><span class="nv">CONTAINER_ROOT</span><span class="k">}</span><span class="s2">/dev/null"</span> c 1 3 <span class="k">fi if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-e</span> <span class="s2">"</span><span class="k">${</span><span class="nv">CONTAINER_ROOT</span><span class="k">}</span><span class="s2">/dev/urandom"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">mknod</span> <span class="nt">-m</span> 666 <span class="s2">"</span><span class="k">${</span><span class="nv">CONTAINER_ROOT</span><span class="k">}</span><span class="s2">/dev/urandom"</span> c 1 9 <span class="k">fi</span> <span class="c"># Set up BusyBox in the container filesystem</span> <span class="nb">cp</span> /bin/busybox <span class="s2">"</span><span class="k">${</span><span class="nv">CONTAINER_ROOT</span><span class="k">}</span><span class="s2">/bin/"</span> <span class="nb">chmod</span> +x <span class="s2">"</span><span class="k">${</span><span class="nv">CONTAINER_ROOT</span><span class="k">}</span><span class="s2">/bin/busybox"</span> <span class="nb">cd</span> <span class="s2">"</span><span class="k">${</span><span class="nv">CONTAINER_ROOT</span><span class="k">}</span><span class="s2">/bin"</span> <span class="nb">ln</span> <span class="nt">-sf</span> busybox sh <span class="nb">ln</span> <span class="nt">-sf</span> busybox <span class="nb">ls ln</span> <span class="nt">-sf</span> busybox <span class="nb">mkdir ln</span> <span class="nt">-sf</span> busybox <span class="nb">cat ln</span> <span class="nt">-sf</span> busybox <span class="nb">echo ln</span> <span class="nt">-sf</span> busybox httpd <span class="nb">cd</span> - <span class="c"># Set up Dropbear in the container filesystem</span> <span class="nb">cp</span> /usr/sbin/dropbear <span class="s2">"</span><span class="k">${</span><span class="nv">CONTAINER_ROOT</span><span class="k">}</span><span class="s2">/bin/dropbear"</span> <span class="nb">chmod</span> +x <span class="s2">"</span><span class="k">${</span><span class="nv">CONTAINER_ROOT</span><span class="k">}</span><span class="s2">/bin/dropbear"</span> <span class="c"># Copy required libraries for dropbear (using ldd)</span> ldd /usr/sbin/dropbear | <span class="nb">awk</span> <span class="s1">'/=&gt;/ {print $3}'</span> | <span class="k">while </span><span class="nb">read</span> <span class="nt">-r</span> lib<span class="p">;</span> <span class="k">do </span><span class="nv">dest_dir</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">CONTAINER_ROOT</span><span class="k">}</span><span class="si">$(</span><span class="nb">dirname</span> <span class="s2">"</span><span class="nv">$lib</span><span class="s2">"</span><span class="si">)</span><span class="s2">"</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$dest_dir</span><span class="s2">"</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$lib</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$dest_dir</span><span class="s2">/"</span> <span class="k">done</span> <span class="c"># Create minimal passwd and group files</span> <span class="nb">echo</span> <span class="s2">"root:x:0:0:root:/:/bin/sh"</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="k">${</span><span class="nv">CONTAINER_ROOT</span><span class="k">}</span><span class="s2">/etc/passwd"</span> <span class="nb">echo</span> <span class="s2">"root:x:0:"</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="k">${</span><span class="nv">CONTAINER_ROOT</span><span class="k">}</span><span class="s2">/etc/group"</span> <span class="c"># Generate SSH host key if not present</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="k">${</span><span class="nv">CONTAINER_ROOT</span><span class="k">}</span><span class="s2">/etc/dropbear/dropbear_rsa_host_key"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span>dropbearkey <span class="nt">-t</span> rsa <span class="nt">-f</span> <span class="s2">"</span><span class="k">${</span><span class="nv">CONTAINER_ROOT</span><span class="k">}</span><span class="s2">/etc/dropbear/dropbear_rsa_host_key"</span> <span class="k">fi</span> <span class="c"># Set up web content (for testing; remove if not needed)</span> <span class="nb">echo</span> <span class="s2">"Isolated Container Web Server Ready!"</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="k">${</span><span class="nv">CONTAINER_ROOT</span><span class="k">}</span><span class="s2">/www/index.html"</span> <span class="c"># Set up veth pair on the host</span> ip <span class="nb">link </span>add <span class="s2">"</span><span class="nv">$HOST_VETH</span><span class="s2">"</span> <span class="nb">type </span>veth peer name <span class="s2">"</span><span class="nv">$CONTAINER_VETH</span><span class="s2">"</span> ip addr add <span class="s2">"</span><span class="nv">$HOST_IP</span><span class="s2">"</span> dev <span class="s2">"</span><span class="nv">$HOST_VETH</span><span class="s2">"</span> ip <span class="nb">link set</span> <span class="s2">"</span><span class="nv">$HOST_VETH</span><span class="s2">"</span> up <span class="c"># Launch an isolated container shell with unshare and capture its PID</span> <span class="nv">CONTAINER_PID</span><span class="o">=</span><span class="si">$(</span>unshare <span class="nt">--fork</span> <span class="nt">--pid</span> <span class="nt">--mount</span> <span class="nt">--uts</span> <span class="nt">--ipc</span> <span class="nt">--net</span> <span class="nt">--user</span> <span class="nt">--map-root-user</span> bash <span class="nt">-c</span> <span class="s1">'echo $$; exec sleep infinity'</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">"Container PID: </span><span class="nv">$CONTAINER_PID</span><span class="s2">"</span> <span class="c"># Move the container side of the veth pair into the container's network namespace</span> ip <span class="nb">link set</span> <span class="s2">"</span><span class="nv">$CONTAINER_VETH</span><span class="s2">"</span> netns <span class="s2">"</span><span class="nv">$CONTAINER_PID</span><span class="s2">"</span> <span class="c"># Configure networking inside the container using nsenter</span> nsenter <span class="nt">--target</span> <span class="s2">"</span><span class="nv">$CONTAINER_PID</span><span class="s2">"</span> <span class="nt">--net</span> bash <span class="nt">-c</span> <span class="s2">" ip addr add '</span><span class="nv">$CONTAINER_IP</span><span class="s2">' dev </span><span class="nv">$CONTAINER_VETH</span><span class="s2"> &amp;&amp; ip link set </span><span class="nv">$CONTAINER_VETH</span><span class="s2"> up &amp;&amp; ip link set lo up &amp;&amp; ip route add default via '</span><span class="nv">$GATEWAY_IP</span><span class="s2">' "</span> <span class="c"># Chroot into the container and start SSH and HTTP services</span> ip <span class="nb">link set </span>lo up <span class="o">&amp;&amp;</span> ip route add default via <span class="s1">'$GATEWAY_IP'</span> <span class="s2">" # Mount proc in the container mkdir -p "</span><span class="k">${</span><span class="nv">CONTAINER_ROOT</span><span class="k">}</span>/proc<span class="s2">" nsenter --target "</span><span class="nv">$CONTAINER_PID</span><span class="s2">" --mount bash -c "</span>mount <span class="nt">-t</span> proc proc <span class="k">${</span><span class="nv">CONTAINER_ROOT</span><span class="k">}</span>/proc<span class="s2">" nsenter --target "</span><span class="nv">$CONTAINER_PID</span><span class="s2">" --mount chroot "</span><span class="k">${</span><span class="nv">CONTAINER_ROOT</span><span class="k">}</span><span class="s2">" /bin/sh -c "</span> nsenter <span class="nt">--target</span> <span class="s2">"</span><span class="nv">$CONTAINER_PID</span><span class="s2">"</span> <span class="nt">--mount</span> <span class="nb">chroot</span> <span class="s2">"</span><span class="k">${</span><span class="nv">CONTAINER_ROOT</span><span class="k">}</span><span class="s2">"</span> /bin/sh <span class="nt">-c</span> <span class="s2">" echo 'Inside container: starting HTTP server and Dropbear SSH daemon...'; echo 'Inside container: starting HTTP server and Dropbear SSH daemon...'; /bin/httpd -f -p </span><span class="nv">$HTTP_PORT</span><span class="s2"> -h /www &amp; exec /bin/dropbear -F -E -p </span><span class="nv">$SSH_PORT</span><span class="s2"> "</span> <span class="c"># End of script</span> </code></pre> </div> <h3> <strong>Step 2: Understanding Key Components</strong> </h3> <h4> <strong>1. Container Filesystem</strong> </h4> <ul> <li> <strong><code>/bin</code></strong>: Contains BusyBox (provides basic Linux commands) </li> <li> <strong><code>/dev</code></strong>: Device files like <code>null</code> and <code>urandom</code> (required for programs to work) </li> <li> <strong><code>/etc/dropbear</code></strong>: Stores SSH host keys </li> </ul> <h4> <strong>2. Network Setup</strong> </h4> <ul> <li>Creates a virtual Ethernet pair (<code>host-side</code> and <code>container-side</code>) </li> <li>Container gets IP <code>192.168.100.2</code>, host uses <code>192.168.100.1</code> </li> <li>Port <code>2222</code> on host forwards to container’s SSH port (<code>22</code>) </li> </ul> <h3> <strong>Step 3: Running the Script</strong> </h3> <p><strong>Make it executable</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">chmod</span> +x create-container.sh </code></pre> </div> <p><strong>Execute with sudo</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">sudo</span> ./create-container.sh </code></pre> </div> <p><strong>Connect via NSENTER</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> - to get the PID run : ps aux | <span class="nb">grep sleep sudo </span>nsenter <span class="nt">--target</span> &lt;PID&gt; <span class="nt">--mount</span> <span class="nt">--uts</span> <span class="nt">--ipc</span> <span class="nt">--net</span> <span class="nt">--pid</span> bash </code></pre> </div> <p><strong>OR</strong></p> <p><strong>Connect via SSH</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ssh root@localhost <span class="nt">-p</span> 2222 </code></pre> </div> <h3> <strong>Step 4: What to Expect</strong> </h3> <h4> <strong>Connection</strong> </h4> <p>You’ll see a warning about the SSH key fingerprint (this is normal). Type <code>yes</code> to continue. </p> <h4> <strong>Inside the Container</strong> </h4> <p>Try these commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">ls</span> / <span class="c"># See container filesystem</span> ip addr <span class="c"># Show container's network</span> ps aux <span class="c"># List running processes (only container's)</span> </code></pre> </div> <h4> <strong>Step 5. Start a Web Server</strong> </h4> <ul> <li>Create a file, e.g., /opt/isolated_container/start_services.sh </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> #!/bin/sh echo "Starting HTTP server..." /bin/httpd -p 80 -h /www &amp; echo "Starting Dropbear SSH daemon..." /bin/dropbear -F -E -p 22 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> chmod +x /opt/isolated_container/start_services.sh </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> chroot /opt/isolated_container /bin/sh -c "/start_services.sh" </code></pre> </div> <h3> <strong>Troubleshooting</strong> </h3> <h4> ** SSH Connection Fails** </h4> <ul> <li>Verify port forwarding: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> iptables <span class="nt">-t</span> nat <span class="nt">-L</span> PREROUTING </code></pre> </div> <h4> <strong>Permission Denied</strong> </h4> <ul> <li>Ensure you used <code>sudo</code> when running the script </li> <li>Recreate device files if missing: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">mknod</span> <span class="nt">-m</span> 666 /opt/my_container/dev/null c 1 3 </code></pre> </div> <h3> <strong>How It Works: Beginner’s Glossary</strong> </h3> <ul> <li> <strong>Namespace</strong>: A isolated workspace for processes (like a private room) </li> <li> <strong>Veth Pair</strong>: Virtual Ethernet cable connecting host and container </li> <li> <strong>BusyBox</strong>: Swiss Army knife of Linux commands in a single file </li> <li> <strong>Dropbear</strong>: Lightweight SSH server (uses less resources than OpenSSH) </li> </ul> <h3> <strong>Next Steps</strong> </h3> <p><strong>Add Persistence</strong>:<br><br> Create files in <code>/opt/my_container/www</code>. </p> <p><strong>Customize SSH</strong>:<br><br> Add your public key to <code>/opt/my_container/root/.ssh/authorized_keys</code>.</p> <p>** Verify cgroups v2 is Active**<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> mount | grep cgroup2 </code></pre> </div> <p><strong>Create a Custom cgroup</strong><br> mkdir /sys/fs/cgroup/mycontainer</p> <p><strong>Limit CPU Usage</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> echo "50000 100000" &gt; /sys/fs/cgroup/mycontainer/cpu.max </code></pre> </div> <p><strong>Limit Memory Usage</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> echo $((512 * 1024 * 1024)) &gt; /sys/fs/cgroup/mycontainer/memory.max </code></pre> </div> <p><strong>Explore More</strong>:<br><br> Try installing additional software in the container using <code>chroot</code>. </p> <h3> <strong>Conclusion</strong> </h3> <p>You’ve just created a fully isolated Linux container from scratch! While this isn’t production-ready, it demonstrates core containerization concepts used by Docker and Kubernetes. Experiment with modifying the network setup or adding new services to deepen your understanding. </p> <p><strong>Happy container hacking!</strong> 🐧🔒</p> Hosting a Page with Nginx: A Newbie’s Journey Mart Young Wed, 29 Jan 2025 18:34:31 +0000 https://dev.to/mart_young_ce778e4c31eb33/hosting-a-page-with-nginx-a-newbies-journey-39i6 https://dev.to/mart_young_ce778e4c31eb33/hosting-a-page-with-nginx-a-newbies-journey-39i6 <p>How I learned to launch a simple HTML site (and you can too!)</p> <p>As someone just dipping their toes into <a href="https://hng.tech/hire/devops-engineers" rel="noopener noreferrer">DevOps Engineer</a>, <a href="https://hng.tech/hire/kubernetes-specialists" rel="noopener noreferrer">Kubernetes Specialists</a> and web hosting, I wanted to conquer a classic "first project": setting up a web server. My goal? Run Nginx on Ubuntu, host a page with my name, and document every stumble and triumph. Spoiler: It worked! Here’s how,</p> <p>Step 1: Preparing My Ubuntu Playground<br> I started by firing up a clean Ubuntu 22.04 environment. For simplicity, I used a virtual machine(ec2-Instance) on AWS <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html" rel="noopener noreferrer">Docs-here</a>, but you could also</p> <ul> <li><p>Use any other cloud server (Google cloud/Azure/Digital Ocean)</p></li> <li><p>Or even Docker (which I’ll mention later!).</p></li> </ul> <p><em>Pro Tip:</em> If you’re using Docker, this one-liner saves time (see <a href="https://docs.docker.com/get-started/" rel="noopener noreferrer">Docker’s getting-started guide</a>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">-it</span> <span class="nt">-p</span> 80:80 <span class="nt">--name</span> my-nginx ubuntu:latest </code></pre> </div> <h2> <strong>Step 2: Installing Nginx – The “Aha!” Moment</strong> </h2> <p>Updating packages felt like stretching before a workout:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>apt update </code></pre> </div> <p>Then came the magic command, as recommended in <a href="https://nginx.org/en/linux_packages.html" rel="noopener noreferrer">Nginx’s official installation guide</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>apt <span class="nb">install </span>nginx <span class="nt">-y</span> </code></pre> </div> <p><strong>Fun Fact:</strong> Nginx (pronounced "Engine-X") powers over <a href="https://w3techs.com/technologies/details/ws-nginx" rel="noopener noreferrer">33% of websites</a>. Now I’m one of them! </p> <h2> <strong>Step 3: Bringing Nginx to Life</strong> </h2> <p>Starting the service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl start nginx </code></pre> </div> <p>Making sure it auto-restarts on reboots (learn more about <code>systemctl</code> <a href="https://www.freedesktop.org/software/systemd/man/systemctl.html" rel="noopener noreferrer">here</a>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl <span class="nb">enable </span>nginx </code></pre> </div> <p><em>At this point, I nervously opened my browser to <code>http://&lt;aws public ip&gt;</code>... and saw the default Nginx page! Progress!</em></p> <h2> <strong>Step 4: Crafting My Digital Hello World</strong> </h2> <p>Time to replace the generic page with my own. I navigated to the web root (Nginx’s default directory structure <a href="https://nginx.org/en/docs/beginners_guide.html" rel="noopener noreferrer">documented here</a>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> /var/www/html </code></pre> </div> <p>Then edited <code>index.html</code> with Nano (Vim warriors, fight me later ):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>nano index.html </code></pre> </div> <p>I wrote this barebones HTML (swap "[My Name]" with yours!):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;title&gt;</span>Welcome to My Corner of the Internet<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;style&gt;</span> <span class="nt">body</span> <span class="p">{</span> <span class="nl">display</span><span class="p">:</span> <span class="n">flex</span><span class="p">;</span> <span class="nl">flex-direction</span><span class="p">:</span> <span class="n">column</span><span class="p">;</span> <span class="nl">align-items</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span> <span class="nl">justify-content</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span> <span class="nl">min-height</span><span class="p">:</span> <span class="m">100vh</span><span class="p">;</span> <span class="c">/* Full viewport height */</span> <span class="nl">margin</span><span class="p">:</span> <span class="m">0</span><span class="p">;</span> <span class="nl">font-family</span><span class="p">:</span> <span class="n">Arial</span><span class="p">,</span> <span class="nb">sans-serif</span><span class="p">;</span> <span class="p">}</span> <span class="nt">h1</span> <span class="p">{</span> <span class="nl">color</span><span class="p">:</span> <span class="m">#2c3e50</span><span class="p">;</span> <span class="c">/* Modern dark-blue color */</span> <span class="p">}</span> <span class="nt">p</span> <span class="p">{</span> <span class="nl">font-size</span><span class="p">:</span> <span class="m">1.2em</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/style&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Hey there! I'm [my name].<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;h2&gt;</span>Welcome to DevOps Stage 0 - [slack display name]<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p><em>Ctrl+O to save, Ctrl+X to exit. Simple as that!</em></p> <h2> <strong>Step 5: The Grand Reveal</strong> </h2> <p>I refreshed <code>http://&lt;AWS - public-ip&gt;</code> and… <strong>there it was!</strong> My name in bold, staring back like a digital monument. For extra validation, on my terminal I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://&lt;AWS - public-ip&gt; </code></pre> </div> <p>:For Docker<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://localhost </code></pre> </div> <p>The terminal echoed my HTML – pure satisfaction.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0avk1xufdln9a014c7f9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0avk1xufdln9a014c7f9.png" alt="webpage-screenshot" width="800" height="407"></a></p> <p><em>Pro Tip:</em> When trying to access your webpage with AWS public-IP, remember to use <em>http</em> and not <em>https</em></p> <h2> <strong>Bumps Along the way</strong> </h2> <ul> <li><p><strong>Security Group Fiasco:</strong> My first attempt failed due to security group issues on AWS. I had to spend sometime reading this <a href="https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html" rel="noopener noreferrer">AWS-Docs</a> and was able to resolve it by adding a rule to my security group</p></li> <li><p><strong>Docker Dilemma:</strong> When testing the Docker method, I forgot to mount the HTML file. Protip for Docker fans (<a href="https://docs.docker.com/storage/volumes/" rel="noopener noreferrer">Docker volumes explained here</a>):<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> docker run <span class="nt">-d</span> <span class="nt">-p</span> 80:80 <span class="nt">-v</span> <span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span>/index.html:/usr/share/nginx/html/index.html nginx </code></pre> </div> <h2> <strong>Why This Matters</strong> </h2> <p>This tiny project taught me: </p> <ol> <li> <strong>Servers aren’t magic</strong> – just software following instructions. </li> <li> <strong>Documentation is survival gear.</strong> I kept notes like this: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> # My Cheat Sheet - Web root: /var/www/html - Test command: curl localhost - Logs: /var/log/nginx/error.log </code></pre> </div> <ol> <li> <strong>Troubleshooting is 80% of the job.</strong> (But that 20% success? Worth it.)</li> </ol> <h2> <strong>References &amp; Further Reading</strong> </h2> <ol> <li> <a href="https://nginx.org/en/docs/beginners_guide.html" rel="noopener noreferrer">Nginx Beginner’s Guide</a> </li> <li> <a href="https://ubuntu.com/server/docs" rel="noopener noreferrer">Ubuntu Server Documentation</a> </li> <li> <a href="https://docs.docker.com/get-started/" rel="noopener noreferrer">Docker’s Official Tutorials</a> </li> <li> <a href="https://developer.mozilla.org/en-US/docs/Learn/%0AHTML/Introduction_to_HTML/Getting_started" rel="noopener noreferrer">Mozilla’s HTML Basics</a> (for crafting your page)</li> <li> <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html" rel="noopener noreferrer">Get started with Amazon EC2</a> </li> </ol> <h2> <strong>Final Thoughts</strong> </h2> <p>In under an hour, I went from zero to hosting my own page. Whether you’re building a portfolio, a blog, or just experimenting, Nginx on Ubuntu is a sturdy foundation. Next step? Maybe add CSS, or try HTTPS with <a href="https://letsencrypt.org/" rel="noopener noreferrer">Let’s Encrypt</a>! </p> <p><strong>Got questions or war stories?</strong> Drop them in the comments (or tweet me)! Let’s geek out. </p> <p><em>Enjoyed this walkthrough? Share it with a friend who’s starting out their web hosting or DevOps journey!</em> </p> devops aws