DEV Community: Nandan K

DevOps Project: Hosting Serverless Web Application in AWS using S3,Lambda, CloudFront, DynamoDB, Route53, SSL certificate

Nandan K — Fri, 06 Mar 2026 06:07:21 +0000

🎯 DevOps is not just about learning tools; it’s about applying them to solve real-world problems. One of the best ways to build practical DevOps skills is by creating hands-on projects that demonstrate how different cloud services work together.

In this project, I built a serverless web application using core AWS services such as AWS Lambda, Amazon DynamoDB, CloudFront Distribution, Amazon S3, Route53, SSL certification and also integrating these different AWS services.

📌 AWS Services used to implement the project:

The application follows a serverless architecture, which means there are no servers to manage, and AWS automatically handles scaling and infrastructure management.
Amazon S3 will host the static website
AWS Lambda will run the backend logic that processes user requests.
DynamoDB as database
Route53 for DNS name resolution
created CloudFront distribution to speed up the data delivery
Created SSL certificate using Amazon certificate manager and attach it to CloudFront (for HTTPS secure connection)

Github Repo for source code: https://github.com/Nandan3/Projects_on_AWS_Lambda

📌 About AWS Lambda:

✅ What AWS Lambda does:

A serverless compute service that lets you run code without provisioning or managing servers.
Runs code without servers - You don’t manage EC2 instances.
Automatically scales depending on the amount of user traffic.
Integrates with other AWS services - S3, DynamoDB, CloudWatch, SNS, SQS, API Gateway, etc.
Supports popular programming languages like Python, Java, C#, Node.js, Go, Ruby, Power shell.
It has runtime API extension that allows you to use other programming language not listed.

✅ How It Works (Flow):

Lambda starts with an events, which triggers lambda to do something or execute the code.
Source of the event is another AWS services like S3, API Gateway. It can be trigger from stream of data or queue, like Kinesis Data Streams or Simple Queue Service.

📌 About Dynamo DB:
✅ Intro:

Managing and scaling NoSQL DB for web application and services.
Replicates data across multiple AWS Regions automatically.

✅ Features:

NoSQL data: Key-value and document-style storage.
Provides us fully managed serverless and highly available DB
Handle high traffic applications
Works with Lambda, API Gateway, Step Functions, etc.
Secure - Encryption, IAM-based access control, and VPC integration.

✅ Dynamo DB - Components:

Tables: place to store data or collection of data
Items: each table contains zero or more items. Entry into the table.
Attributes: items composed of one or more attributes. Like properties within table.

✅ Use cases:

Building internet scale applications, which supports user content, metadata and caches that require high concurrency and connections for millions of users and millions requests per seconds.
Also great for workloads that are used within real time video streaming and interactive content because it delivers low latency with multi-region replication.

Project Architecture:

🎯 Detailed guide for implementing the project:

📌 Steps to Configure S3:

✅ Step 1:

Go to S3 in AWS Console
Create S3 bucket with proper configuration set up. Name: Serverless-web-application Type: Private S3 bucket Server-side encryption with Amazon S3 managed keys (SSE-S3)

✅ Step 2:

Upload HTML, Java script, CSS files into S3 bucket

📌 Steps to configure CloudFront Distribution:

CloudFront is secure content delivery service in AWS and reduce the latency, ensures high data transfer speed.

✅ Step 1:

Go to CloudFront >> create Distributions Origin type: Amazon S3 S3 Origin: serverless-web-application-using-lambda.s3.ap-south-1.amazonaws.com (select from dropdown)

✅ Step 2:
Copy S3 bucket policy, which you need to attach to bucket. So that CloudFront can access the S3.
Go to CloudFront >> click on the distribution, which you created now >> select "Origin" >> select "origin name (severless-web-application)" >> Edit.

✅ Step 3:
Copy the CloudFront Policy

✅ Step 4:
Go to S3 bucket >> Permissions >> bucket policy >> paste the policy, which you copied

This allows the CloudFront Service principle to access S3 bucket

✅ Step 5:
Make sure that the default root object is "index.html" in cloud front. Because in S3 - "index.html" is the entry point to our application.

📌 Enable Route53 for CloudFront Distribution
✅ Step 1:

Purchase your own DNS name from GoDaddy or Route53 itself.
Then create Hosted zone by using DNS name in Route53 (if the DNS name is purchased from external).

✅ Step 2:

Inside CloudFront distribution >> origin >> add DNS name and select custom SSL certificate (if don't have request the certificate in Amazon ACM).

Add DNS record and SSL certificate into CloudFront

To request SSL certificate >> go to Amazon ACM >> request a certificate with "*.nandanwithtech.in" domain name.

Validate the certificate with Route53 for that: click on the certificate >> under "Domain" section >> create records in Route53 >> proceed.

A CNAME record will be created under Route53

✅ Step 3:

Create Route53 record for "serverless" subdomain in serverless.nandanwithtech.in

Now try to access the application with registered DNS name with "secure https": https://serverless.nandanwithtech.in/

📌 Steps to Create DynamoDB tables and map it with Lambda functions

Create a Dynamo DB table and make sure to create an IAM role for the Lambda function to give permission to access DynamoDB table.

✅ Step 1:

As we see in the web application, whenever any person enter his/her name and submit the details and refresh the page, view count should be increased.
For this, I'm creating Dynamo DB table in AWS and adding the Id, view items into the table.

✅ Step 2:

Create an IAM role and give permissions to Lambda functions to access dynamoDB. Go to IAM >> Role >> create role
Here I ensured the "least priviliged access" control mechanism, by giving only required permissions through policy and attached it to role.

📌 Creating a Lambda function and integrating with the website

✅ Step 1:

Go to Lambda >> create Lambda function Name: serverless-web-app-lambda Language: Python 3.14 Enable function URL to assign HTTPS to Lambda function

proceed with the Lambda function

Function URL: https://atzqihljt3dupct4orlsbjm5yi0qwgrl.lambda-url.ap-south-1.on.aws/

Add IAM role to Lambda function to access Dynamo DB Go to Lambda function >> configuration >> Permissions >> click on Edit >> choose execution role.

Update the code into Lambda function >> Test the code

Access the website using secure domain name - https://serverless.nandanwithtech.in/

📌 Error during implementation:

Solution: Add PutItem permission in IAM policy

DevOps Project: Containerize and Run an e-commerce based application in AWS EKS cluster using Terraform with all best practices

Nandan K — Tue, 24 Feb 2026 10:42:52 +0000

🎯 This Project contains the OpenTelemetry Astronomy Shop, a microservice-based distributed system intended to illustrate the implementation of OpenTelemetry in a near real-world environment.

Welcome to the OpenTelemetry Astronomy Shop Project Demonstration:

📌 Here the goals are:

Realistic Distributed System Example This repository demonstrates a real-world, microservice-based distributed application using the Open-Telemetry Astronomy Shop, designed to showcase end-to-end observability in modern cloud-native systems.
Multi-Microservice, Multi-Language Architecture The application consists of multiple independent microservices implemented in different programming languages, reflecting how real organizations build and maintain heterogeneous technology stacks.
Hands-On Observability Experience By implementing this project, you gain practical, hands-on experience with distributed tracing, context propagation, and observability tools as used in real production environments.
Industry-Aligned Learning Approach This project mirrors how organizations design, instrument, and monitor microservice architectures, helping learners understand real-world implementation patterns and best practices.

📌 Tools used to implement the application:

Containerize the micro-service using "Docker"
AWS services used - EC2 instance, IAM roles & policies, EKS cluster, Route53, VPC, Subnets
Kubernetes for managing the containerized micro-services.
AWS infrastructure creation using Terraform modules
Implemented the CI using GitHub Actions and CD using ArgoCD
Used Ingress and Ingress Controller to expose the application to external world.
Helm chart for downloading and installing the software's and dependencies.

📌 What You Will Learn:

Cloud Infrastructure Setup – Learn how to configure and deploy a cloud environment for DevOps implementation.
Understanding the Project & SDLC – Gain in-depth knowledge of software development lifecycles in microservices-based architectures.
Containerization with Docker – Learn how to package and manage applications efficiently using Docker.
Docker Compose Setup – Manage multi-container applications with Docker Compose.
Kubernetes for Orchestration – Deploy and manage containers at scale using Kubernetes.
Infrastructure as Code (IaC) with Terraform – Automate and manage cloud infrastructure effortlessly.

📌 Refer the Application architecture: https://opentelemetry.io/docs/demo/architecture/

📌 Refer the Source code of the application: https://github.com/open-telemetry/opentelemetry-demo

📌 Project architecture diagram and Overview of microservices is available at the below link.

Architecture
https://opentelemetry.io/docs/demo/architecture/

Overview of microservices used in the project

https://opentelemetry.io/docs/demo/services/

Running the Application in Local environment:

✅ Create EC2 Instance:
type: t2.large
storage: 30GB

✅ Resize File system: (if running out of space while creating the application)

Increase the instance volume to 30GB

Change the file system in CLI $lsblk

$sudo apt install cloud-guest-utils
$sudo growpart /dev/xvda 1
$sudo resize2fs /dev/xvda1

✅ If you face any issue related to "permission denied", while executing the docker commands. Add the user to docker group using:
$sudo usermod -aG docker ubuntu

✅ Running the application local environment using docker compose:

Why docker compose?

I'm deploying e-commerce application, which contains multiple micro-services. So we containerize and running as one model using docker compose is efficient.
It runs multiple containers at once and establish the dependencies between the containers.

✅ You will find the docker-compose.yaml file in my GitHub repository:
Link: https://github.com/Nandan3/End-to-End-DevOps-Projects/blob/main/docker-compose.yaml

✅ Run the below command
$docker compose up -d

It will pull the images from docker registry and run the micro-services

✅ Edit security groups inbound rules to access the application from web browser:

✅ Access the application using: http://:8080
Public-IP: EC2 Public IP

Containerize the multiple Micro-services using Dockerfiles:

📌 This is an e-commerce based application, which contains multiple micro-services. Each micro-services are developed using different programming languages. For example

Product-catalogue service: Go lang
Ad service: Java
Recommendation service: Python So I took 3 micro-services from different programming language, where I containerize the micro-services using Dockerfile and build the images.

📌 Product-catalog service: (Go programming language)

$sudo apt install golang-go
Files: go.mod & go.sum - takes care of dependencies

Build the service in local using below steps:
a. $export PRODUCT_CATALOG_PORT=8088
b. $go build -o product-catalog .
c. $./product-catalog

O/P:
INFO[0000] Loaded 10 products
INFO[0000] Product Catalog gRPC server started on port: 8088

✅ Using Dockerfile:

✅ Run the below commands to build the image and to run the container:
a. $docker build -t nandandocker07/product-catalog:v1 .

-t >> tag (docker-hub-user)/repo-name:version
. >> location of dockerfile

b. $docker run nandandocker07/product-catalog:v1

📌 Ad-service: (Java programming language)

Build using gradle or maven
File: gradlew (gradle wrapper for Linux & Mac) or gradlew.bat (for windows) takes care of dependencies. File: pom.xml (take care of dependencies in case of maven)

Build the service in local using below steps:
a. Install java:
$sudo apt install openjdk-21-jre-headless
b. Give permission to gradlew file
$chmod +x gradlew
c. Run the below command:
$./gradlew installDist

ü Start the gradle daemon, which is like a server
ü Install the dependencies
ü Perform code compilation
ü Build the application and stored in perticular directory
✅ Using Dockerfile:

✅ Run the below commands to build the image and to run the container:
a. $docker build -t nandandocker07/ad-service:v1 .

b. $docker run nandandocker07/ad-service:v1

📌 Recommendation service: (Python programming language)

File: requirments.txt take care of dependencies ✅ Using Dockerfile:

✅ Run the below commands to build the image and to run the container:
a. $docker build -t nandandocker07/recommandation-service:v1 .

b. $docker run nandandocker07/recommandation-service:v1

📌 Push the docker images into docker hub: (registry or container artifactory)

Registries are: dockerhub, quay.io, ECR, ACR, GHCR
First login to registry where you want to push the image Eg: $docker login docker.io $docker login quay.io $docker login ARN #AWS

Push the image using below command $docker tag docker.io/nandandocker07/product-catalog:v1 $docker push docker.io/nandandocker07/product-catalog:v1

docker.io >> docker hub registry
nandandocker07 >> registry user name
product-catalog >> repo name
:v1 >> tag of the image

📌 Preparation of docker-compose file to run the entire environment:

Main components of docker-compose.yml
ü Service object >> define how to pull or run the micro-services
ü Network object >> create network for all micro-services
ü Volume object
You will find the docker-compose.yaml file in my github repository
Link: https://github.com/Nandan3/End-to-End-DevOps-Projects/blob/main/docker-compose.yaml
Run the application using docker compose commands
$docker compose up -d

✅ Access the application using: http://:8080
Public-IP: EC2 Public IP

Deploy the Application into AWS EKS Cluster:

📌 Why AWS EKS?

Upgrades becomes easy
Manage control plane
Scaling become easy
Integrated K8s UI
Cost efficient

📌 Creating the following infrastructure using Terraform:

VPC, Public subnet and Private subnet
Internet gateway, NAT gateway, Route tables
EKS cluster

📌 Create S3 bucket and DynamoDB for state file management and locking:

📌 Create VPC & EKS cluster using Terraform:
VPC & Cluster creation code: https://github.com/Nandan3/End-to-End-DevOps-Projects/tree/main/EKS_install

✅ Cluster information:

cluster_endpoint = "https://D9F38304FBE9AFF51F006DE59DEC4993.gr7.us-west-1.eks.amazonaws.com"
cluster_name = "my-eks-cluster"
vpc_id = "vpc-09bcf1df61d87cf8b"

✅ Run the following command to create the cluster:
$terraform init
$terraform plan
$terraform apply --auto-approve

📌 How to connect to 1 or many Kubernetes clusters from command line ?

Cluster info are stored in kube-config files $kubectl config view $kubectl config current-context #context represents the cluster $kubectl config use-context #switch between the clusters
$cat ~/.aws/credentials >> Path where aws credentials are stored
$aws eks update-kubeconfig --region us-west-1 --name my-eks-cluster

o/p:
Added new context arn:aws:eks:us-west-1:454842419673:cluster/my-eks-cluster to /home/ubuntu/.kube/config
Context >> complete K8s related information (creates kube-config file)

$kubectl config view
$kubectl config current-context
$kubectl get nodes

📌 Deploying Project on K8:

EKS cluster creation is completed.
Check in CLI $kubectl config current-context

📌 Create a service account:

$kubectl apply -f complete-deploy.yaml
$kubectl get pods

📌 How one micro-services are connected another in this project?

By using environment variables ü Service name or URL is injected via ConfigMap ü Application reads it at runtime Eg: If want to connect shipping service to quote service, in the environment variable of shipping pod have service name of the quote service

In shipping service:

✅ Other ways:

By using service discovery mechanism using services
DNS-Based Service Discovery (Implicit - Kubernetes automatically creates DNS entries for Services.)
Headless Services (Direct Pod-to-Pod) [When to use - Stateful apps (Kafka, Cassandra), Client needs individual Pod identities]

✅ Access the project from outside the VPC/Cluster:

Change service type to LB mode to access via internet: $kubectl edit svc opentelemetry-demo-frontendproxy Add - type: LoadBalancer

Configure the Ingress and Ingress controller to expose the application into internet:

📌 Why Ingress and Ingress Controller:

Configuration of LB is not declarative or lack of declarative approach Eg: if I want to change from http to https, I have to do it in 2. AWS UI not in svc.yaml manifest.
Not cost effective Eg: if 10 microservice require external access, AWS will 10 LB
CCM only tied to AWS or any cloud provider LB, what about F5, nginx, Envy, Traffik
LB type will not work in mini-kube, kind, k3d

📌 Ingress:

It helps you to define routing rules for incoming traffic
Declarative (yaml) - LB can be updated and modified
Cost effective - using path based & host based routing, we can route the request 100's of target groups
Not dependent on CCM - by using reverse proxy or other mechanism

📌 Creation of Ingress & Ingress Controller:

Create Ingress resource for Front-end service >> creation of ALB Ingress controller (AWS), which reads the ingress resource >> accordingly ALB Ingress controller creates LB for us.

📌 Steps to install ALB ingress controller on EKS cluster:

ALB ingress controller is pod within the EKS cluster >> it creates an elastic LB >> creates only if service account of the ALB binds to the IAM roles or policies >> it binds through "IAM OIDC connector or provider"
Install eksctl in CLI
Make sure you are in the correct cluster

Follow the steps to set up OIDC provider and ALB controller: https://github.com/Nandan3/End-to-End-DevOps-Projects/blob/main/kubernetes_files/kubernetes-ingress-controller

oidc_id: D9F38304FBE9AFF51F006DE59DEC4993

Check if there is an IAM OIDC provider configured already [adding OIDC provider to my cluster]

✅ Create service account & IAM role & policy and attach it to SA:

Download IAM policy.json from AWS for ELB
Link: curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy.json
Create an IAM policy

Create IAM role and attach them to a service account created previously.

📌 Use Helm chart to download ALB controller:

Add helm repo for eks
$helm repo add eks https://aws.github.io/eks-charts
Install ALB controllers using helm & verify that the deployments are running.

$helm install aws-load-balancer-controller eks/aws-load-balancer-controller -n kube-system --set clusterName=my-eks-cluster --set serviceAccount.create=false --set serviceAccount.name=aws-load-balancer-controller --set region=us-west-1 --set vpcId=vpc-09bcf1df61d87cf8b

📌 Setup Ingress resources and access the Project:

Using ingress, access the project as external user
Change the type of the LB in frontendproxy service yaml $kubectl edit svc opentelemetry-demo-frontendproxy

✅ Create ingress resource using yaml manifest:

Link of yaml file: https://github.com/Nandan3/End-to-End-DevOps-Projects/blob/main/kubernetes_files/ingress.yaml
Run: $kubectl apply -f ingress.yaml

Accessing the application using IP address or DNS will not work until it will add it in local DNS file

✅ Steps to add IP & DNS into local DNS file:

In linux: add it in /etc/hosts
In windows: a. Open notepad as administrator >> file -> open -> select C:\windows\system32\drivers\etc\hosts file add C:\windows

Set up CICD pipeline using Github Actions and GitOps approach (ArgoCD):

📌 Built Continuous Integration pipeline using Github Actions:

Write a ci.yaml file under .github/worflows/ directory
Link of the file: https://github.com/Nandan3/End-to-End-DevOps-Projects/tree/main/.github/workflow
Create a new git branch in CLI
$git checkout -b cicheck
Switched to a new branch 'cicheck'
Modify main.go file in product-catalog directory

📌 Built Continuous Deployment pipeline using GitOps approach:

✅ Why ArgoCD is preferred over other tools (like Ansible, shell scripting, python using helm)

Constant monitoring and automatic deployment to K8s cluster 2. Reconciliation of state: if any changes made in k8s cluster directly argoCD removes it and fix it into previous version. (version control system is the source of truth)

Deep dive into the IAM concepts and understand it with practicle hands-on.

Nandan K — Sat, 21 Feb 2026 13:54:48 +0000

🎯 In my recent interviews, I encountered lot of IAM related questions including scenario based questions in AWS.

For example "an IAM user has FullAdmin, access to AWS account, yet he/she not able to access the S3 buckets, what must be the reason?"

So I deep dive into the IAM concepts and understand it with practicle hands-on.

📌 IAM User:

Represents a person, service or app needing access.
To access any services in AWS >> grant user permissions >> to provide that permission, first assign "IAM Policies" to specific user or groups.

📌 IAM Groups:

Collection of users with common permissions and roles

📌 IAM Roles:

Temporary access given to users, apps, or services.
Increases the security
Permissions for IAM roles comes from IAM policy (attach it roles, AWS service, Users, Groups)

✅ Implement the "Principle of Least Privilege":

If your user needs access to do their jobs, give them access, but take away the access that they don't need.

📌 IAM Policies and Permissions:

Permissions are provide fine-grained control over the actions performed on AWS resources or service.

Policies manage actions and permissions in AWS >> rules that define what resources an entity can access and what actions they can perform.

✅ AWS Identity Based Policy:

It is policy attach to roles, groups or users

✅ AWS Resource Based Policy:

Policy is directly attach to AWS resources like S3, RDS etc >> this policy is going to define which user or service have the permission to access the resource.

Here, the group called "accounting" is denied from deleting the S3 bucket and objects within the bucket.

📌 IAM Permission Boundaries:

If new interns are hired >> they doesn't have proper experience >> these permissions are too wide to them >> so how can we limit the access to the new interns, while adding them into the proper group?

Solution: IAM Permission Boundaries
If Developer have full access to the logs group, then I can assign list access to the new interns (Max level of Permission).

Even though new intern has the Full control permission, but "Permission Boundary" limits the access to only access the resource.

📌 IAM Session Policy:

It allows temporary access to users on AWS resources.

📌 Inline Policy:

Attach the policy directly to user, group, roles
Cannot be used by any other user, group, roles Eg: Provide temporary S3 access to DevOps Engineer (only valid for certain time period)

📌 Managed Policy:

Created and managed by AWS
It can be reused with other entities in different accounts.

Policy with Conditions:

To be continued...

AWS #Kubernetes #Terraform #Docker

Terraform Provisioners

Nandan K — Thu, 25 Dec 2025 07:51:08 +0000

Day 16 of #30daysofawsterraform challenge

🎯 Do you want to execute the script or implement some configuration during resource creation or destruction using Terraform in any cloud providers? Here is the "Terraform Provisioners"

✅ Terraform Provisioners are used to run scripts or commands on a resource after it is created (or before it is destroyed).

✅ Key Features:
1. Provisioners run during resource lifecycle events (creation or destruction)
2. They are a "last resort" - Terraform recommends using native cloud-init, user_data, or configuration management tools when possible
3. They execute only once during resource creation (not on updates)
4. Failure handling: By default, if a provisioner fails, the resource is marked as "tainted" and will be recreated on next apply

💡 Types of Provisioners:

📌 "local-exec" Provisioner:
Runs a command on the machine where Terraform is executed, NOT on the resource.
Eg:
provisioner "local-exec" {
command = "echo 'Local-exec: created instance ${self.id} with IP ${self.public_ip}'"
}

📌 "remote-exec" Provisioner:
Runs commands inside the created server (EC2, VM).
Eg:

📌"file" Provisioner:
Copies files from local machine to remote server.
Eg:

⚠️Why Terraform Provisioners Are NOT Recommended
Provisioners:
1. Run after resource creation
2. Depend on SSH / network readiness
3. Are not idempotent (can fail on re-run)
4. Mix infrastructure creation with server configuration

✅ Better Alternatives:
1. user_data (Cloud-init) - A script that runs automatically when the server boots. (Best for Bootstrapping)
2. Custom AMIs - Pre-built machine images with software already installed.
3. Configure servers after creation, but in a controlled, idempotent way using Ansible, Chef, Puppet.
4. Run commands on EC2 using AWS agent like AWS Systems Manager.

For more details refer:
Youtube: https://youtu.be/DkhAgYa0448?si=R_b7sBYuC7CPCV2i
Github: https://github.com/Nandan3/Terraform-Full-Course-Aws/tree/main/lessons/day19

Devops #Terraform #AWS

Mini project to demonstrate VPC peering in AWS using Terraform

Nandan K — Tue, 16 Dec 2025 08:58:54 +0000

Day 15 of #30daysofawsterraform challenge

🎯 This mini project demonstrates cross-region VPC peering, enabling secure private communication between EC2 instances in different AWS regions while maintaining network isolation and controlled access. The setup enables secure, low-latency communication between resources in both VPCs using private IP addresses.

✅ What is VPC Peering?

VPC Peering is a networking connection between two Virtual Private Clouds (VPCs) that enables private IP communication between them as if they were part of the same network.

Architecture:

✅ In this demo we creates:

✨ Networking section:
1. Two VPC in us-east-1 & us-west-2
2. Configure one public subnet in each VPC
3. Internet Gateways - one for each VPC to allow internet access
4. Custom route tables with routes to internet and peered VPC
5. VPC peering - Cross-region peering between the two VPCs

✨ Compute Resources:
1. EC2 instances in each VPC

✨ Configure Security Groups:
1. SSH access from anywhere (port 22)
2. ICMP (ping) allowed from peered VPC
3. All TCP traffic allowed between VPCs

💡 Below are the detailed steps we followed to implement the project:

📌Step 1: Prerequisites:

aws cli should be installed
Terraform should be installed
Configure AWS Credentials using "aws configure" command

📌Step 2: Create SSH Key Pairs in each region

# Create key pair in us-east-1
aws ec2 create-key-pair \
--key-name vpc-peering-demo-east \
--region us-east-1 \
--query 'KeyMaterial' \
--output text > vpc-peering-demo-east.pem

# Create key pair in us-west-2
aws ec2 create-key-pair \
--key-name vpc-peering-demo-west \
--region us-west-2 \
--query 'KeyMaterial' \
--output text > vpc-peering-demo-west.pem

✅ Main.tf file:

📌Step 3:
Provisioned a Primary VPC in us-east-1 and a Secondary VPC in us-west-2 using separate provider aliases.

📌Step 4:
Public subnet was created in each VPC using region-specific availability zones.

📌Step 5:
Internet Gateways were created and attached to both VPCs. This enables outbound internet access and inbound connectivity for public resources.

📌Step 6:
Custom route tables were created for both VPCs with a default route (0.0.0.0/0) pointing to the Internet Gateway. Each route table was associated with its corresponding subnet. This ensures proper routing for internet traffic within each VPC.

📌Step 7:
A VPC peering connection was initiated from the Primary VPC to the Secondary VPC across regions. This establishes private connectivity between the two isolated networks.

Same has to be done from secondary VPC to primary VPC

📌Step 8:
Routes were added in both VPC route tables to direct traffic destined for the peer VPC CIDR via the peering connection. This enables bidirectional communication using private IP addresses.

Same has to be done from secondary VPC to primary VPC

📌Step 9:
Security groups were defined in each VPC to allow SSH access for administration. ICMP and TCP traffic were permitted between the VPC CIDR ranges to validate connectivity.

Same has to be done for Secondary VPC

📌Step 10:
EC2 instances were launched in each subnet using region-appropriate AMIs and key pairs.

Same has to be done for Secondary instance

📌Data_source.tf file:

Same has to be done for Secondary VPC

📌Locals.tf file:

📌Variables.tf file:

Outputs:

For more details refer:
Youtube: https://youtu.be/WGt000THDmQ?si=bjisghj-pts6-GPu
Github: https://github.com/Nandan3/Terraform-Full-Course-Aws/tree/main/lessons/day15

Devops #Terraform #AWS

Thanks to Piyush sachdeva The CloudOps Community

Deploying a secure and scalable static website on AWS using Terraform

Nandan K — Sat, 13 Dec 2025 10:27:55 +0000

Day 14 of #30daysofawsterraform challenge

🎯 This mini project demonstrates the deployment of a secure static website on AWS using Terraform. It implements an end-to-end infrastructure-as-code solution leveraging Amazon S3 for static content storage and Amazon CloudFront for global content delivery, ensuring high availability, improved performance, and HTTPS-enabled access through a custom domain.

🧠 Project Architecture:

💡 Step-by-step approach for project implementation:

📌 Step 1:
Provisioned an S3 bucket to store static website files and blocked all public access, ensuring the bucket is not directly accessible from the internet.

📌 Step 2: Automatically uploaded all files from the local www/ directory to S3 and set MIME content types (HTML, CSS, JS, images).

📌 Step 3:
Looked up the existing public Route 53 hosted zone for my domain.

📌 Step 4:
Requested an SSL Certificate through AWS Certificate Manager, which is mandatory for CloudFront access validated the certificate using DNS validation via Route 53.

📌 Step 5:
Created a CloudFront Origin Access Control (OAC), which ensures that only CloudFront can read content from your S3 bucket over HTTPS, and direct public access to S3 is completely blocked.

📌 Step 6:
Configure the CloudFront (CF) distribution through Terraform resources.
CF is the setup that connects users to your content through AWS’s global CDN. It reduces the latency through caching content in nearest edge location.

📌 Step 7:
Applied an S3 bucket policy allowing s3:GetObject only from the CloudFront distribution using SourceArn conditions.

📌 Step 8:
Created a Route 53 alias record pointing your custom domain to the CloudFront distribution and enabled HTTPS access via your custom domain.
The Route 53 alias record maps my custom domain (for example, www.example.com) to the CloudFront distribution so users can access the website using your own domain.

variable.tf file:

Outputs.tf file:

Outputs:

✅ For more details refer:
YouTube: https://youtu.be/bK6RimAv2nQ?si=4wzFeWv1qBgiMKwo
Github: https://github.com/Nandan3/Terraform-Full-Course-Aws/tree/main/lessons/day14

Devops #Terraform #AWS

Thanks to Piyush sachdeva The CloudOps Community

Terraform Data Sources

Nandan K — Thu, 11 Dec 2025 06:32:18 +0000

🧠 Hardcoding the values in code is breach of security and reusing hardcoded values again and again is not a good practice. So today I come across an interesting topic i.e. "Data Sources".

🎯 Data Sources in terraform allows us to read existing information from your cloud provider without creating anything and also minimises the use of hardcoded values in terraform code.

📌 Why Do We Use Data Sources?

To get IDs of existing VPCs, subnets, AMIs, security groups
To fetch latest AMI dynamically
To use existing infrastructure in new Terraform code
To avoid hardcoding values

💡 Let's take an example, we have shared VPC with multiple teams using it and has 2 subnet. We want to provision 2 EC2 instances in each subnet by giving reference of existing VPC and subnet and also use pre-existing Linux image while creating EC2 instances by using data sources.

My hands-on demo's:

Terraform Functions

Nandan K — Tue, 09 Dec 2025 11:13:34 +0000

Function in terraform help you transform data, build dynamic values, and write smarter infrastructure code.
Terraform supports only built in function. Here are some details -

📌 String Functions:

✅ lower() - lower("HELLO") → "hello"
✅ upper() - upper("hello") → "HELLO"
✅ replace() - replace("dev-app", "dev", "prod") → "prod-app"
✅ substr()
✅ trim() - trim(" hello ", " ") → "hello"
✅ split() - split(",", "a,b,c") → ["a", "b", "c"]
✅ join() - join(",", ["a", "b", "c"]) → "a,b,c"
✅ chomp() - chomp("hello\n") → "hello" hashtag#cuts off the last newline character from a string.

📌 Numeric Functions
✅ abs() - abs(-3) → 3 hashtag#Absolute value
✅ max() - max(10, 5, 8) → 10
✅ min() - min(10, 5, 8) → 5
✅ ceil() - ceil(4.2) → 5 hashtag#Round UP a number
✅ floor() - floor(4.8) → 4 hashtag#Round DOWN a number
✅ sum() - sum([1, 2, 3]) → 6

📌 Collection Functions
✅ length() - length([1,2,3]) → 3
✅ concat() - concat([1,2], [3,4]) → [1,2,3,4]
✅ merge() - merge({a=1}, {b=2}) → {a=1, b=2}
✅ reverse() - reverse([1, 2, 3, 4]) → [4, 3, 2, 1]
✅ toset() - toset(["a", "b", "a"]) → ["a", "b"]

Converts a list into a set.
A set has unique values (no duplicates) and order does not matter ✅ tolist() - tolist(toset(["a", "b", "a"])) → ["a", "b"]
Converts something (like a set or tuple) into a list.
A list keeps order and allows duplicates

📌 Type Conversion
✅ tonumber() - tonumber("10") → 10
✅ tostring() - tostring(100) → "100"
✅ tobool() -

tobool("true") → true
tobool(1) → true
tobool(0) → false

📌 File Functions
✅ file() - file("message.txt") → "Hello Nandan"

Reads a file from your system and returns the text inside it.
Use this when loading user-data scripts or config files. ✅ fileexists() - fileexists("config.yaml") → true/false ✅ dirname() - get folder / directory path ✅ basename() - get the filename inside the directory

📌 Date/Time Functions
✅ timestamp() - current date and time
✅ formatdate() - formatdate("YYYY-MM-DD", timestamp()) hashtag#changes a date/time into a different format.
✅ timeadd() - adds time (like days, hours, minutes) to a timestamp.

📌 Validation Functions

✅ can() - can(tolist("hello")) → false hashtag#cannot convert string "hello" to list

It tells you if an expression will run without error.
Use it to safely test something without breaking Terraform. ✅ regex() - regex("^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$", "nandan@gmail.com") hashtag#Check if a value looks like an email
Checks if a string matches a regular expression pattern. ✅ contains() - contains(["dev", "prod"], "dev") → true
Returns true if an item exists inside a list. ✅ startswith() - startswith("dev-app", "dev") → true hashtag#Returns true if the string starts with the given text. ✅ endswith() - endswith("app-prod", "dev") → false hashtag#Returns true if the string ends with the given text.

📌 Lookup Functions

✅ lookup() - lookup({env = "dev", region = "us-east-1"}, "env", "default") → "dev"

It returns a value from a map (key–value pair).
If the key does NOT exist → it returns a default value.

✅ element() - element(["a", "b", "c"], 1) → "b" hashtag#returns the item at a specific index from a list.
✅ index() - index(["dev", "stage", "prod"], "stage") → 1 hashtag#Find the Position of a Value in a List.

Refer: https://lnkd.in/gNHnBNDe

hashtag#Devops hashtag#Terraform hashtag#AWS

Thanks to Piyush sachdeva The CloudOps Community

Terraform Expressions

Nandan K — Tue, 09 Dec 2025 08:20:27 +0000

📋 Today I have completed Terraform expression, its types and use cases with practical hands-on.

📌What is terraform expression?

Help us to avoid rewriting the code again and again, make configurations dynamic, reusable, and smart.

✅ Types:

📌 Conditional expression:

Evaluates a condition and returns one of two values based on whether the condition is true or false.

Syntax:
Condition ? True_value : false_value

Eg:

Output:

📌 Dynamic Blocks:

It will used when you want to create repeated nested blocks automatically, instead of writing them manually.
It’s like a loop (for-each) inside a resource block and will create one block for each item in a list or map.

Syntax:
dynamic "block_name" {
for_each = var.collection
content {
# Block configuration using each.key and each.value
}
}

🔁 How it works:

for_each iterates over a list or map
content defines what each block should contain
Access values using block_name.value or block_name.key

Eg:
main.tf:

variable.tf:

Output:

🌀 Use Cases:

Security group rules
Multiple EBS volumes on EC2 instances
Route table routes
IAM policies
Kubernetes containers
CloudFront behaviors
Tags
Environment variables

📌 Splat Expression:

Let's you get a list of values from multiple resources created using count or for_each.
It’s like saying “give me this attribute from ALL the resources.”

Syntax:
resource_list[*].attribute_name

Eg:

Gives the instance ids from nandan_ec2 instances.

Refer: https://youtu.be/R4ShnFDJwI8?si=rlAMgR-JZjdd6djf

Thanks to Piyush, The Cloud Community

Terraform Life Cycle Rules

Nandan K — Wed, 03 Dec 2025 10:09:47 +0000

Day 9 of #30daysofawsterraform challenge

Do you really want to prevent someone from accidental deletion of resources, improve the security and improve the manageability of infrastructure in Terraform? Here is the Terraform life cycle rules comes into play.

Today I have covered "Terraform life cycle rules" with practical hands-on.

§ What is Terraform life cycle rules:
1. Terraform Lifecycle rules gives you fine-grained control over resource behavior, preventing unwanted changes and ensuring stability in production environments.

§ Meta-Arguments:

○ create_before_destroy:
1. It allows to create replacement resource first, before destroying the old one.
2. Ensures zero downtime
Eg:
resource "aws_instance" "nandan_ec2" {
ami = "ami-0ff8a91507f77f867"
instance_type = "t2.micro"
region = var.region

      tags = var.tags

      lifecycle {
        create_before_destroy = false
      }
    }

ü Usecases:
1. Updating an AWS Load Balancer that must always remain online
2. Rotating EC2 instances in an Auto Scaling group
3. Updating an RDS instance when you want zero downtime
4. Replacing an S3 bucket with the same configuration safely

○ prevent_destroy:
1. Protects resources by blocking any operation that would delete them.
Eg:
resource "aws_s3_bucket" "production_logs" {
bucket = "nandan-production-logs"

      lifecycle {
        prevent_destroy = true
      }
    }

ü Usecase:
1. Protecting production databases
2. Preventing deletion of S3 buckets holding logs or critical data
3. Safeguarding VPCs, subnets, and networking components
4. Security groups protecting production resources
5. Stateful resources that should never be deleted

○ ignore_changes:
1. Tells Terraform to ignore changes to specified resource attributes.
Eg:
resource "aws_autoscaling_group" "app_servers" {
desired_capacity = 2

    lifecycle {
ignore_changes = [
  desired_capacity,  # Ignore capacity changes by auto-scaling
  load_balancers,    # Ignore if added externally
]

}
}

ü Use Cases:
1. Auto Scaling Group capacity (managed by auto-scaling policies)
2. EC2 instance tags (added by monitoring tools)
3. Security group rules (managed by other teams)
4. Database passwords (managed via Secrets Manager)

○ replace_triggered_by:
1. Used to force the replacement of a resource when another resource or value changes.
Eg:
resource "aws_instance" "web" {
ami = var.ami_id
instance_type = "t2.micro"

      lifecycle {
        replace_triggered_by = [
          var.ami_id
        ]
      }
    }

ü Use Cases:
1. Replace EC2 instances when security groups change
2. Recreate containers when configuration changes
3. Force rotation of resources based on other resource updates
4. For immutable infrastructure patterns

○ precondition:
1. Validates conditions BEFORE Terraform attempts to create or update a resource. Errors if condition is false.
Eg:
resource "aws_instance" "web" {
ami = var.ami
instance_type = var.instance_type

      lifecycle {
        precondition {
          condition     = contains(["t2.micro", "t3.micro"], var.instance_type)
          error_message = "Only t2.micro and t3.micro are allowed!"
        }
      }
    }

ü Use Cases:
1. Validate deployment region is allowed
2. Ensure required tags are present
3. Check environment variables before deployment
4. Validate configuration parameters

○ postcondition:
1. Validates conditions AFTER Terraform creates or updates a resource. Errors if condition is false.
Eg:
resource "aws_instance" "web" {
ami = var.ami
instance_type = "t2.micro"

      lifecycle {
        postcondition {
          condition     = self.public_ip != ""
          error_message = "Instance must have a public IP assigned!"
        }
      }
    }

ü Use Cases:
1. Ensure required tags exist after creation
2. Validate resource attributes are correctly set
3. Check resource state after deployment
4. Verify compliance after creation

Devops #Terraform #AWS

Thanks to Piyush sachdeva The CloudOps Community

Terraform Meta-arguments

Nandan K — Tue, 02 Dec 2025 07:59:43 +0000

Day 8 of #30daysofawsterraform challenge

Today I have deep dive into use cases of meta arguments with practicle examples.

What is it?
Meta-arguments are special arguments that can be used with "any resource type" to change the behavior of resources.

Different Meta-arguments:

Count:
Create multiple resource instances based on a number
Eg:
resource "aws_s3_bucket" "nandan_bucket" {
  count  = 3
  bucket = "my-bucket-${count.index}"
  tags = var.tags
}


For_each:
Creating resources from a map or set.
Eg:
resource "aws_s3_bucket" "example" {

for_each = toset(["bucket1", "bucket2", "bucket3"])
bucket = each.value
}

Depends_on:
Ensuring resources are created in specific order
Eg:
resource "aws_s3_bucket" "dependent" {

bucket = "my-bucket"

depends_on = [aws_s3_bucket.primary]
}

Provider:

Use cases:

    Multi-region deployments

    Multi-account setups

    Cross-region replication

Eg:

resource "aws_s3_bucket" "example" {

  provider = aws.west  # Use alternate provider

  bucket   = "my-bucket"

}

Devops #Terraform #AWS

Thanks to Piyush sachdeva The CloudOps Community

Terraform type constraints or variable types

Nandan K — Mon, 01 Dec 2025 13:30:31 +0000

Day 7 of #30daysofawsterraform challenge

Today I come across different types of variables in Terraform.

$ What is variables in Terraform?
Variables in Terraform are like placeholders that store values, this makes your code reusable across environments (dev, staging, prod) and teams.

$ Types:

Basic Types:

String - Text values Eg: variable "environment" { default = "dev" type = string

Access using:
Environment = var.environment

Number - Numeric values (integers and floats) Eg: variable "instance_count" { description = "Number of instances to create" type = number }

Access using:
count = var.instance_count

Bool - Boolean values (true/false)
Eg:
variable "monitoring_enabled" {
description = "Enabled detailed monitoring for EC2 instance"
type = bool
default = true
}

Access using:
monitoring = var.monitoring_enabled

Collection Types:

List(type) - Ordered collection of values Eg: variable "cidr_block" { description = "CIDR block for VPC" type = list(string) default = ["10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12"] }

Access using:
cidr_ipv4 = var.cidr_block[2]

Set(type) -
Unordered collection of unique values
Do not allow the duplicates
It cannot access by their index - first convert it into list and then access the data.

Eg:
variable "allowed_region" {
description = "AWS list of allowed regions"
type = set(string)
default = ["us-east-1", "us-west-1", "us-west-2"]
}

Access using:
region = tolist(var.allowed_region)[0]

Map(type) - Key-value pairs with string keys Eg: variable "tags" { type = map(string) default = { Environment = "dev" Name = "dev-EC2-instance" } }

Access using:
tags = var.tags

Tuple([type1, type2, ...]) - Ordered collection with specific types for each element. Eg: variable "ingress_values" { type = tuple([number, string, number]) default = [443, "tcp", 443] }

Access using:
from_port = var.ingress_values[0]
ip_protocol = var.ingress_values[1]
to_port = var.ingress_values[2]

Object({key1=type1, key2=type2, ...}) - Structured data with named attributes.
Eg:
variable "config" {
type = object({
region = string,
monitoring = bool,
instance_count = number
})

default = {
region = "us-east-1",
monitoring = true,
instance_count = 1
}
}

Access using:
region = var.config.region
monitoring = var.config.monitoring

Devops #Terraform #AWS

Thanks to Piyush sachdeva The CloudOps Community