The latest articles on DEV Community by Viktor Vasylkovskyi (@vvasylkovskyi). https://dev.to/vvasylkovskyi https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2437649%2F528a6805-4df8-4fa5-8eb6-d4110d4defff.jpg https://dev.to/vvasylkovskyi en Viktor Vasylkovskyi Wed, 20 May 2026 08:30:28 +0000 https://dev.to/vvasylkovskyi/openclaw-and-claude-code-multi-agents-talking-via-handoff-file-1jk6 https://dev.to/vvasylkovskyi/openclaw-and-claude-code-multi-agents-talking-via-handoff-file-1jk6 <p>A few months ago I finished setting up my Raspberry Pi with metrics, alerting, domain access, and secrets, and ended up with a pretty neat device that did nothing. Around the same time OpenClaw started showing up in my feed — a bot with access to an LLM that could sit on a small device and do work for you. The pitch was good enough that I gave it a weekend.</p> <p>A weekend turned into months of configurations hell and confusion. The thing I underestimated was how big the gap is between "an LLM bot responds on Discord" and "an LLM bot does real engineering work for me." A bot that can chat is easy. A bot that can take a Discord message, decide it needs to write code, write that code, run tests, open a PR, and tell me about it that is a different category of system.</p> <h2> An LLM bot does real engineering work for me.. </h2> <p>That shift surfaces three problems that the cosy "ask the LLM a question" framing hides. Given my experience in building agents, I wanted to avoid the <a href="https://arxiv.org/abs/2305.14491" rel="noopener noreferrer">context rots</a> and <a href="https://arxiv.org/abs/2507.11538" rel="noopener noreferrer">instruction overload</a> problems from the start. Additionally, I had been pretty comfortable using Claude Code for coding tasks. So OpenClaw had to come-in for something else.</p> <p>If you have are agents builder, you will recognise that building a multi agent system is the answer to the problems above. The killer feature of OpenClaw for me is the chat integrations which comes at a low cost so it felt really compelling.</p> <p>The separation becomes clear:</p> <ul> <li>OpenClaw handles user interaction</li> <li>Claude Code handles writing code.</li> </ul> <p>Unsurpisingly this is a setup that has been proven in the past by this tweet <a href="https://x.com/elvissun/status/2025920521871716562" rel="noopener noreferrer">https://x.com/elvissun/status/2025920521871716562</a>, which has been an inspiration and drove me to reproduce the setup.</p> <h2> Building Coding Assistant </h2> <p>Here is the shape of it, before getting into the why:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd8pljf645i4ncnfdgmnc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd8pljf645i4ncnfdgmnc.png" alt=" " width="798" height="127"></a></p> <p>Two agents, one file hand-off between them. OpenClaw is the long-lived assistant on Discord. Claude Code is spawned per task, does the work, opens a PR, exits. The filesystem is just a folder — OpenClaw drops a task in, Claude Code picks it up, drops the result back. OpenClaw also listens for PR events from GitHub as a heartbeat, so it can confirm the work actually landed and not just that Claude Code said it did.</p> <p>The rest of the post is the why and the how.</p> <h2> Three protocols, one survivor </h2> <p>The job is straightforward to describe. OpenClaw understands the user request from Discord, decides this needs real code written, and hands the work off to Claude Code, which produces a PR. OpenClaw watches for completion and reports back.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftjzoy4a10z635rk0ool3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftjzoy4a10z635rk0ool3.png" alt=" " width="797" height="134"></a></p> <p>The whole problem is the box in the middle.</p> <p>The hard part is the hand-off. I tried three using a shared <a href="https://github.com/tmux/tmux/wiki" rel="noopener noreferrer">tmux</a> session and a filesystem via handoff file, and with an <a href="https://agentclientprotocol.com/get-started/introduction" rel="noopener noreferrer">ACP (Agent Communication Protocol)</a>:</p> <ol> <li> <strong>ACP (Agent Communication Protocol).</strong> The "right" way. Sessions, capabilities, structured messages, the whole thing. I had this working in Part 4 with Codex. It worked. It also fell over under load, hit timeouts, and depended on a pairing dance that broke every time the Pi rebooted.</li> <li> <strong>A shared tmux session.</strong> Skip the protocol entirely, drive a real terminal that the worker lives inside. Capture the pane to read output. It works. It is also extremely fragile — anything that touches the terminal state (a stray newline, an ANSI escape, a pager that opens) corrupts the channel.</li> <li> <strong>A filesystem mailbox.</strong> OpenClaw writes a JSON file. <code>inotifywait</code> sees the file. A systemd service launches Claude Code with <code>-p</code> against that file. Claude Code writes the result to another JSON file. Done.</li> </ol> <p>I have spent weeks trying to fine-tune the ACP and Tmux, until I found <code>inotifywait</code>. The rest of this post is how that is wired up and why the others didn't work for me.</p> <h2> OpenClaw under systemd </h2> <p>Although all of the documentations of OpenClaw and Claude Code omit that, there is a hidden truth about agents - they are system processes. Which means, they will die eventually, silently - unless you deamonise them.</p> <p>We will handle it using a <code>systemd</code> file. The relevant guarantees from systemd:</p> <ul> <li> <code>Restart=on-failure</code> — the process comes back if it crashes</li> <li> <code>systemctl --user enable</code> makes it survive reboot</li> </ul> <p>Think about <code>systemd</code> like a docker container, but it lives on your bare metal. A typical systemd file looks like that:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>Unit] <span class="nv">Description</span><span class="o">=</span>OpenClaw Bot <span class="nv">After</span><span class="o">=</span>network.target <span class="nv">StartLimitIntervalSec</span><span class="o">=</span>0 <span class="o">[</span>Service] <span class="nv">Type</span><span class="o">=</span>simple <span class="nv">User</span><span class="o">={{</span> bot_user <span class="o">}}</span> <span class="nv">WorkingDirectory</span><span class="o">={{</span> bot_home <span class="o">}}</span> <span class="nv">EnvironmentFile</span><span class="o">={{</span> env_file <span class="o">}}</span> <span class="nv">Environment</span><span class="o">=</span><span class="nv">REPO_DIR</span><span class="o">={{</span> repo_dir <span class="o">}}</span> <span class="nv">Environment</span><span class="o">=</span><span class="nv">FEATURE_DOCS_DIR</span><span class="o">={{</span> feature_docs_dir <span class="o">}}</span> <span class="nv">ExecStart</span><span class="o">={{</span> bot_home <span class="o">}}</span>/scripts/start.sh <span class="nv">Restart</span><span class="o">=</span>on-failure <span class="nv">RestartSec</span><span class="o">=</span>10 <span class="o">[</span>Install] <span class="nv">WantedBy</span><span class="o">=</span>multi-user.target </code></pre> </div> <p>Start it with<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> systemctl <span class="nt">--user</span> daemon-reload systemctl <span class="nt">--user</span> <span class="nb">enable</span> <span class="nt">--now</span> openclaw-gateway.service journalctl <span class="nt">--user</span> <span class="nt">-u</span> openclaw-gateway <span class="nt">-f</span> </code></pre> </div> <p>And see the logs<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>systemctl <span class="nt">--user</span> status openclaw-gateway.service ● openclaw-gateway.service - OpenClaw Gateway Loaded: loaded <span class="o">(</span>/home/vvasylkovskyi/.config/systemd/user/openclaw-gateway.service<span class="p">;</span> enabled<span class="p">;</span> preset: enabled<span class="o">)</span> Active: active <span class="o">(</span>running<span class="o">)</span> since Mon 2026-05-18 22:14:07 BST<span class="p">;</span> 17h ago </code></pre> </div> <p>With systemd in place, OpenClaw is a thing that stays up. That is the floor.</p> <h2> Claude Code, watched by inotifywait, supervised by systemd </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F427xtsrkh68vdo8xkpxy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F427xtsrkh68vdo8xkpxy.png" alt=" " width="800" height="162"></a></p> <p>The worker side is its own systemd service, similar to the one above. Except in this case, <code>ExecStart={{ bot_home }}/scripts/start.sh</code> will:</p> <ol> <li>Start a persistent <code>inotifywait</code> loop watching the filesystem directory</li> <li> <code>inotifywait</code> triggers a shell script that, on file creation, launches Claude Code in headless mode</li> <li>A systemd service that owns the watcher and restarts it if it dies</li> </ol> <p>The watcher loop is the entire orchestration logic on the worker side. There is nothing fancy in here:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail <span class="c"># ── Watcher loop ──────────────────────────────────────────────────────────────</span> <span class="nb">echo</span> <span class="s2">"[pipeline] Watching </span><span class="nv">$FEATURE_DOCS_DIR</span><span class="s2"> for new feature docs..."</span> <span class="nb">cd</span> <span class="s2">"</span><span class="nv">$REPO_DIR</span><span class="s2">"</span> <span class="nv">CLAUDE_BIN</span><span class="o">=</span><span class="si">$(</span>find /usr/local/bin <span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/.local/bin"</span> <span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/.npm-global/bin"</span> <span class="nt">-name</span> claude 2&gt;/dev/null | <span class="nb">head</span> <span class="nt">-1</span><span class="si">)</span> inotifywait <span class="nt">-m</span> <span class="s2">"</span><span class="nv">$FEATURE_DOCS_DIR</span><span class="s2">"</span> <span class="nt">-e</span> create | <span class="k">while </span><span class="nb">read</span> <span class="nt">-r</span> path _event file<span class="p">;</span> <span class="k">do </span><span class="nb">echo</span> <span class="s2">"[pipeline] Detected: </span><span class="nv">$file</span><span class="s2"> — starting pipeline..."</span> <span class="s2">"</span><span class="nv">$CLAUDE_BIN</span><span class="s2">"</span> <span class="nt">--dangerously-skip-permissions</span> <span class="nt">-p</span> <span class="se">\</span> <span class="s2">"/implementation-orchestrator Process this feature doc: @</span><span class="k">${</span><span class="nv">path</span><span class="k">}${</span><span class="nv">file</span><span class="k">}</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"[pipeline] Done: </span><span class="nv">$file</span><span class="s2">"</span> <span class="k">done</span> </code></pre> </div> <p>When the new file is created, claude code is spawned and reads the file. The <code>claude --dangerously-skip-permissions -p</code> ensures that the headless mode is activated, and there are no confirmation prompts - human completely out of the loop.</p> <h3> Skill fine-tuned for human-out-of-the-loop </h3> <p>The message is simple: <code>"/implementation-orchestrator Process this feature doc: @${path}${file}"</code>. So whatever is in the file is the direction. The policy is the skill where we have to stir agent from asking questions with prompts like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>You are an orchestration agent running <span class="k">in </span>a fully automated headless pipeline. You must never pause <span class="k">for </span>input, never ask clarifying questions, and never <span class="nb">wait </span><span class="k">for </span>human confirmation mid-session. </code></pre> </div> <p>That is the entire worker. A watcher, a launcher, and a folder with markdown files. The interesting design choices are not in the code - they are in what I am deliberately not doing.</p> <h2> Protocols that did not work </h2> <p>It is worth being explicit about what I tried and why I abandoned it, because the file handoff looks underwhelming until you have lived with the alternatives.</p> <h2> Why we eventually pivoted from ACP to tmux </h2> <p>ACP has a lot of open issues — sessions timing out, the gateway pairing dance, the arm64 binary problem. After getting it working, I kept hitting reliability problems. There are also open GitHub issues specifically about this:</p> <ul> <li><a href="https://github.com/openclaw/openclaw/issues/29195" rel="noopener noreferrer">https://github.com/openclaw/openclaw/issues/29195</a></li> <li><a href="https://github.com/openclaw/openclaw/issues/38419" rel="noopener noreferrer">https://github.com/openclaw/openclaw/issues/38419</a></li> </ul> <p>Under heavy load, the ACP system would overload:</p> <h3> tmux </h3> <p>The pivot from ACP was to a shared tmux session. <a href="https://x.com/elvissun/status/2025920521871716562" rel="noopener noreferrer">Alegendly</a> one can spawn tmux sessions and start in them the coding agents:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tmux list-windows <span class="nt">-t</span> agents | <span class="nb">grep</span> <span class="nt">-q</span> claude <span class="o">||</span> <span class="se">\</span> tmux new-window <span class="nt">-t</span> agents <span class="nt">-n</span> claude </code></pre> </div> <p>Then start the claude session using the below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tmux send-keys <span class="nt">-t</span> agents:claude <span class="se">\</span> <span class="s2">"claude --agent-file ~/.claude/CLAUDE.md"</span> Enter </code></pre> </div> <p>Spawn the worker inside tmux, drive it by writing to its stdin via <code>tmux send-keys</code>, capture results with <code>tmux capture-pane -p</code>. This works... until it doesn't, and when it doesn't, the failure is in terminal not in logs.</p> <p>The problem is executing the <code>send-keys</code> command reliably. Sometimes double enter is required, and often it is not enough. More importantly, when something fails, the error trace is not available unless we manually ssh into device and attach to the tmux session - if the session is alive. If the tmux server dies for any reason (memory pressure, a crashed pane), every running task is lost with no recovery path.</p> <p>The general lesson, which I have now learned twice, is that any IPC channel that goes through a TTY is a TTY. You do not get to pretend it is a structured stream. The terminal will assert itself eventually.</p> <h2> Why using inotify is better </h2> <p>Stepping back from the wiring, the reason the <code>inotifywait</code> won is not that it is fast or elegant. It is because the communication is battle-proven and dead simple. The watcher is reliable, and as long as the file drops in the folder, the watcher will spawn the agent. The rest of the components might fail independently but each failure has an obvious recovery. The <code>inotifywait</code> can also have failure modes, but they all show up in either the Discord channel or <code>journalctl</code>, both of which I check anyway.</p> <p>When OpenClaw dropped the file on the system, the logs show like these.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Apr 28 15:59:29 raspberry-4b systemd[1]: Started claude-coding-bot.service - Claude Code PR Bot. Apr 28 15:59:29 raspberry-4b start.sh[2514944]: <span class="o">[</span>pipeline] Watching /home/vvasylkovskyi/my-claude-code/context/feature-docs <span class="k">for </span>new feature docs... Apr 28 15:59:29 raspberry-4b start.sh[2514950]: Setting up watches. Apr 28 15:59:29 raspberry-4b start.sh[2514950]: Watches established. Apr 28 15:59:54 raspberry-4b start.sh[2514951]: <span class="o">[</span>pipeline] Detected: print-readme-testing-headless-claude-code.md — starting pipeline... Apr 28 15:59:59 raspberry-4b start.sh[2515185]: Warning: no stdin data received <span class="k">in </span>3s, proceeding without it. If piping from a slow <span class="nb">command</span>, redirect stdin explicitly: &lt; /dev/null to skip, or <span class="nb">wait </span>longer. Apr 28 16:03:24 raspberry-4b start.sh[2515185]: <span class="sb">`</span>🎉 Final PR opened: https://github.com/vvasylkovskyi/my-app/pull/2<span class="sb">`</span> Apr 28 16:03:24 raspberry-4b start.sh[2515185]: <span class="nt">---</span> Apr 28 16:03:24 raspberry-4b start.sh[2515185]: <span class="sb">```</span> <span class="o">{</span>% endraw %<span class="o">}</span> Apr 28 16:03:24 raspberry-4b start.sh[2515185]: <span class="o">===</span> Autopilot Session Complete <span class="o">===</span> Apr 28 16:03:24 raspberry-4b start.sh[2515185]: Mode: features Apr 28 16:03:24 raspberry-4b start.sh[2515185]: Repo: /home/vvasylkovskyi/my-claude-code/repo Apr 28 16:03:24 raspberry-4b start.sh[2515185]: ✅ print-readme-testing-headless-claude-code → PR <span class="c">#1 merged → feature/autopilot-2026-04-28</span> Apr 28 16:03:24 raspberry-4b start.sh[2515185]: Skipped: 0 Apr 28 16:03:24 raspberry-4b start.sh[2515185]: Completed: 1 Apr 28 16:03:24 raspberry-4b start.sh[2515185]: Failed: 0 Apr 28 16:03:24 raspberry-4b start.sh[2515185]: <span class="o">==================================</span> Apr 28 16:03:24 raspberry-4b start.sh[2515185]: Final PR <span class="k">for </span>your review: https://github.com/vvasylkovskyi/my-app/pull/2 <span class="o">{</span>% raw %<span class="o">}</span> </code></pre> </div> <p>The ACP and tmux versions of had failure modes that were silent or required SSH. <a href="https://dev.to/klement_gunndu/inside-claude-codes-hidden-multi-agent-architecture-ne4">Filesystems are used by Claude Code</a> - They can also use tmux to multiplex your open session. However in headless mode, the TTY is unreliable due to its inherent interactive nature.</p> <h2> What I would tell myself before starting </h2> <p>Multi agents architectures have little to do with AI. What matters are the deep skills in linux and building a distributed system. The filesystem communication pattern is a dead-simple, and the only approach that I didn't have to fix.</p> <p>Regarding tmux, the assumption that you can drive a terminal as if it were a structured channel is wrong. It works in the demo but it breaks the moment a tool decides to be helpful and open a pager, or the keys-send didn't send the space for the tmux session to submit question to llm. The tmux approach is fine for known, bounded outputs and dangerous for anything else.</p> <p>The filesystem watcher is not a clever design. It is a design that takes the things Linux is already good at - files, services, watchers - and arranges them so that the agent layer only has to do the parts that genuinely need an agent. Why is it so convenient? Well, because we are on the same device. Sometimes the simplest solutions are the ones taking the longest to reveal themselves.</p> claude ai agents multiagent Viktor Vasylkovskyi Wed, 06 May 2026 15:58:03 +0000 https://dev.to/vvasylkovskyi/infrastructure-as-code-toolbox-final-thoughts-and-future-work-3d0 https://dev.to/vvasylkovskyi/infrastructure-as-code-toolbox-final-thoughts-and-future-work-3d0 <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/load-test-4agk">Load Testing Infrastructure</a></p> <p>We have reached the end of this infrastructure journey. By now, you should have a solid understanding of how to provision and manage cloud infrastructure using Terraform. You've built a complete three-tier web application architecture on AWS, covering everything from networking and compute to security and data storage.</p> <p>As promised, we have delivered the following outputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>domain_for_your_apps <span class="o">=</span> http://www.your-domain.com database_endpoint <span class="o">=</span> <span class="s2">"postgres-db.cspuccciib8v.us-east-1.rds.amazonaws.com:5432"</span> ec2_first_instance_ip_address <span class="o">=</span> <span class="s2">"3.222.64.160"</span> ec2_second_instance_ip_address <span class="o">=</span> <span class="s2">"3.223.185.158"</span> </code></pre> </div> <p>Note, all of them are public, although your are in charge of protecting them. Use them at your own risk!</p> <h2> Next Steps </h2> <p>I hope you enjoyed this hands-on journey through building infrastructure with Terraform on AWS. The goal was to provide you with a solid foundation that you can build upon.</p> <p>As you have seen from the load test, the infrastructure is far from production ready. It doesn't handle the load well, and lacks proper security in place. The missing production checklists are numerous, below I will list a few ideas for next steps you can take to enhance this infrastructure.</p> <h3> Security Enhancements </h3> <p>There are several security issues with the current setup. Doesn't mean it is insecure by default, but when you pursue production readiness and certification like Service Organization Control 2 (SOC2), you need to address them. Here are some suggestions:</p> <h4> Restrict Network Access </h4> <p>This one is about the public accessibility of our resources. We don't need to expose everything to the internet:</p> <ul> <li>Our RDS database is publicly accessible. In production it probably best to put it in private subnet, and allow access by ec2 instances only.</li> <li>The Ec2 instances are in public subnet. Since we are using a load balancer, we can put them in private subnet, and allow access only from the load balancer.</li> <li>We have exposed the SSH port (22) to the world and reuse same keys for both EC2 instances. In production, you should restrict access to known IPs and use different keys for each instance. Or use AWS Systems Manager (SSM) to access instances without SSH.</li> </ul> <h4> Encryption </h4> <p>Everything should be encrypted, both at rest and in transit:</p> <ul> <li>The RDS database does not have encryption at rest enabled. In production, you should enable it.</li> <li>Use encryption in transit - enforce HTTPS (We got this one right - using API Gateway and Load Balancer with HTTPS)</li> </ul> <h4> Access Control (IAM) </h4> <p>The current setup access sensitive resources too permissively:</p> <ul> <li>Lock the root account and use IAM roles with least privilege. Currently we are using root account credentials in the Terraform provider which is not a best practice.</li> <li>Use secrets management - no hardcoded secrets (We got this one right partially - using AWS Secrets Manager, but the secrets are injected via user data script which is not ideal, and is in plain text on the instance)</li> </ul> <h3> Disaster Recovery and Incident Response </h3> <p>The above security enhancement will provide you good preventive controls, but you also need to prepare for the worst-case scenarios:</p> <h4> Application Level Backups and Monitoring </h4> <ul> <li>Do periodic backups of your RDS database, and test the restore process.</li> <li>Enable Application Logging, Monitoring and Alerting using services like <a href="https://aws.amazon.com/cloudwatch/" rel="noopener noreferrer">CloudWatch</a> or <a href="https://grafana.com/" rel="noopener noreferrer">Grafana</a>.</li> <li>Set up an Incident Response Plan using tools like <a href="https://www.pagerduty.com/" rel="noopener noreferrer">PagerDuty</a>.</li> </ul> <h4> Cloud-Level Disaster Recovery </h4> <ul> <li>Use Infrastructure as Code (IaC) to quickly recreate your infrastructure in another region if needed (which we have done using Terraform).</li> <li>Setup logging and monitoring for your infrastructure using <a href="https://aws.amazon.com/cloudtrail/" rel="noopener noreferrer">AWS CloudTrail</a>.</li> <li>Enable logging for database, load balancer, and other services.</li> </ul> <h3> Performance and Scalability Improvements </h3> <p>Finally, to go from startup with a few users to enterprise with millions of users, you need to ensure your infrastructure can scale and perform well under load:</p> <ul> <li>Implementing auto-scaling for EC2 instances with <a href="https://aws.amazon.com/ecs/" rel="noopener noreferrer">ECS</a> </li> <li>Adding <a href="https://kubernetes.io/" rel="noopener noreferrer">Kubernetes</a> for the orchestration of containers and quick scaling from 2 instances to more</li> <li>Adding caching layers using services like <a href="https://redis.io/" rel="noopener noreferrer">Redis</a> cache,</li> <li>Using a Content Delivery Network (CDN) like <a href="https://aws.amazon.com/cloudfront/" rel="noopener noreferrer">CloudFront</a> to serve static assets faster</li> <li>Database optimization and read replicas for RDS</li> <li>Using multiple availability zones (AZs) for high availability</li> </ul> <h2> Conclusion </h2> <p>I encourage you to continue exploring and experimenting with Terraform and AWS. The possibilities are endless, and the skills you've gained here will serve you well in your infrastructure journey. Myself, I will continue expanding this guide with more advanced topics and real-world scenarios. Stay tuned for more!</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/load-test-4agk">Load Testing Infrastructure</a></p> aws devops infrastructure terraform Viktor Vasylkovskyi Wed, 06 May 2026 15:57:29 +0000 https://dev.to/vvasylkovskyi/load-test-4agk https://dev.to/vvasylkovskyi/load-test-4agk <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-postgressql-rdbms-on-aws-with-terraform-apc">Provisioning PostgreSQL RDS</a></p> <p>It would not be a complete infrastructure setup without some load testing. We have built this beautiful infrastructure that does pretty much nothing. But how much user load can it handle? Let's find out!</p> <h3> Using k6 for Load Testing </h3> <p>We are going to use <a href="https://k6.io/" rel="noopener noreferrer">k6</a> - a modern load testing tool that makes it easy to script and run load tests. First, install k6 by following the instructions on their <a href="https://grafana.com/docs/k6/latest/set-up/install-k6/" rel="noopener noreferrer">installation page</a>.</p> <h3> Writing a Load Test Script </h3> <p>We are going to create a simple load test script that hits our web application's domain. Create a file named <code>load-test.js</code> with the following content:</p> <p>We are going to simulate 10000 virtual users (VUs) over a period of 20 seconds, sending requests to our web application's domain.</p> <p>The following is the script content that you should put in <code>load-test.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">http</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">k6/http</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">sleep</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">k6</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{</span> <span class="na">vus</span><span class="p">:</span> <span class="mi">10000</span><span class="p">,</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">20s</span><span class="dl">'</span><span class="p">,</span> <span class="p">};</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="nx">http</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">http://www.your-domain.com</span><span class="dl">'</span><span class="p">);</span> <span class="nf">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Running the Load Test </h3> <p>You can run the load test using the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>k6 run load-test.js </code></pre> </div> <p>The test will start, after it finishes, the <code>json</code> file will be created and you will see real-time statistics about the requests being made, response times, and any errors encountered.</p> <h3> Analyzing the Results </h3> <p>The JSON output file can be analyzed using various tools. One popular option is to use <a href="https://grafana.com/" rel="noopener noreferrer">Grafana</a> along with <a href="https://k6.io/docs/cloud/" rel="noopener noreferrer">k6 Cloud</a>. You can also use the built-in summary report that k6 provides at the end of the test run.</p> <p>I have made a simple web app to render the results, and here is a sample screenshot of how the results might look:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fudzvzddhzgep8pa1byl3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fudzvzddhzgep8pa1byl3.png" alt=" " width="800" height="295"></a></p> <p>You can see that our infrastructure did not handle the 10000 users very well! Outch!</p> <p>This is expected since we did not setup auto-scaling, or caching, and only had two EC2 instances running. In a production scenario, you would want to implement these features to handle high traffic loads effectively.</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-postgressql-rdbms-on-aws-with-terraform-apc">Provisioning PostgreSQL RDS</a> | <strong>Next:</strong> <a href="https://dev.to/vvasylkovskyi/infrastructure-as-code-toolbox-final-thoughts-and-future-work-3d0">Final Thoughts and Future Work</a></p> devops performance testing tutorial Viktor Vasylkovskyi Wed, 06 May 2026 15:56:44 +0000 https://dev.to/vvasylkovskyi/provisioning-postgressql-rdbms-on-aws-with-terraform-apc https://dev.to/vvasylkovskyi/provisioning-postgressql-rdbms-on-aws-with-terraform-apc <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provision-aws-secret-manager-retrieval-of-secrets-4g6b">AWS Secrets Manager</a></p> <p>In this guide, we will learn how to provision a managed PostgresSQL database using Amazon RDS (Relational Database Service) with Terraform. RDS makes it easy to set up, operate, and scale a relational database in the cloud.</p> <p>Why would you want a database? Most web applications need to store and retrieve structured data. A relational database like PostgresSQL provides a reliable way to manage this data with support for complex queries, transactions, and relationships. So let's get started!</p> <h2> Overview </h2> <p>We are going to create infra same as before but with the RDS database integrated. Let's begin by looking at the architecture diagram:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmhyra4n1on17u2szgtt6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmhyra4n1on17u2szgtt6.png" alt=" " width="800" height="280"></a></p> <h2> Github Repository </h2> <p>This guide full code is available in <a href="https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v8-rds-database" rel="noopener noreferrer">https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v8-rds-database</a>. Feel free to clone it and follow along!</p> <h2> Adding RDS Module </h2> <p>First, let's create a new Terraform module for RDS. Create a new folder called <code>modules/rds</code> and add the following files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/rds/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"postgres"</span> <span class="p">{</span> <span class="nx">identifier</span> <span class="p">=</span> <span class="s2">"postgres-db"</span> <span class="nx">engine</span> <span class="p">=</span> <span class="s2">"postgres"</span> <span class="nx">engine_version</span> <span class="p">=</span> <span class="s2">"15"</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="s2">"db.t3.micro"</span> <span class="nx">allocated_storage</span> <span class="p">=</span> <span class="mi">20</span> <span class="nx">storage_type</span> <span class="p">=</span> <span class="s2">"gp2"</span> <span class="nx">skip_final_snapshot</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># for dev; not recommended in production</span> <span class="nx">publicly_accessible</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">username</span> <span class="p">=</span> <span class="c1"># To be filled soon</span> <span class="nx">password</span> <span class="p">=</span> <span class="c1"># To be filled soon</span> <span class="nx">db_name</span> <span class="p">=</span> <span class="c1"># To be filled soon</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[]</span> <span class="c1"># To be filled soon</span> <span class="nx">db_subnet_group_name</span> <span class="p">=</span> <span class="c1"># To be filled soon</span> <span class="p">}</span> </code></pre> </div> <p>Above resource creates a PostgresSQL database instance with the specified parameters. We are using <code>db.t3.micro</code> instance class which is quite small and suitable for development and testing purposes. The <code>allocated_storage</code> means 20GB allocated for this database, and we are using PostgresSQL database here. The <code>skip_final_snapshot</code> is a parameter used in AWS RDS (Relational Database Service) operations, such as when deleting a database instance with Terraform or the AWS CLI. If <code>skip_final_snapshot = true</code>, AWS will not create a final backup (snapshot) of your RDS instance before deleting it. We will keep it as is for our testing purpose, but it is recommended to set it to false for production use.</p> <p>Usually, a database should be placed in private subnets for security reasons. You can create new private subnet in the <code>modules/network</code> and get it here using <code>var.private_subnet_ids</code>. However, for simplicity, we will use public subnets here. One of the side-effects of having database in a public subnet is that it will have a public endpoint, which is not recommended for production use (but fine for testing).</p> <p>Besides being inserted in a subnet, the database also needs to be part of a security group that allows access to it, It also needs database name, username and password to be created. We will provide these as variables.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/rds/variables.tf</span> <span class="k">variable</span> <span class="s2">"database_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"database_username"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"database_password"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"subnet_ids"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>And finally, we can add an output to get the database endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/rds/outputs.tf</span> <span class="k">output</span> <span class="s2">"database_endpoint"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_db_instance</span><span class="p">.</span><span class="nx">postgres</span><span class="p">.</span><span class="nx">endpoint</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The connection endpoint for the Postgres database."</span> <span class="p">}</span> </code></pre> </div> <h2> Defining Security Groups for RDS </h2> <p>We will create a simple resource that allows inbound access to PostgresSQL port 5432.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/rds/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"rds_sg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"rds_sg"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow Postgres access"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>And now, we can use this security group in our database instance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/rds/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"postgres"</span> <span class="p">{</span> <span class="p">...</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">rds_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h2> Creating the RDS Subnet Group </h2> <p>AWS RDS requires a subnet group with at least 2 subnets in different Availability Zones for high availability and failover capabilities. For example, your database subnet group can include two private subnets from different AZs.</p> <p>We already have subnets created in <code>modules/network</code>, so we can create a subnet group in the RDS module like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_db_subnet_group"</span> <span class="s2">"default"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"rds-subnet-group"</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">id</span> <span class="nx">in</span> <span class="kd">var</span><span class="p">.</span><span class="nx">subnet_ids</span> <span class="err">:</span> <span class="nx">id</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"RDS Subnet Group"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now, add this subnet group to the database instance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/rds/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"postgres"</span> <span class="p">{</span> <span class="p">...</span> <span class="nx">db_subnet_group_name</span> <span class="p">=</span> <span class="nx">aws_db_subnet_group</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> </code></pre> </div> <h2> Using the RDS Module </h2> <p>Finally, we can use the RDS module in our main Terraform configuration. Open <code>main.tf</code> and add the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">module</span> <span class="s2">"rds"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/rds"</span> <span class="nx">database_name</span> <span class="p">=</span> <span class="s2">"my_app_db"</span> <span class="nx">database_username</span> <span class="p">=</span> <span class="s2">"your_username"</span> <span class="nx">database_password</span> <span class="p">=</span> <span class="s2">"your_secure_password"</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">public_subnet_ids</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="p">}</span> </code></pre> </div> <p>Make sure to replace <code>your_secure_password</code> with a strong password. Preferably, use Terraform variables or AWS Secrets Manager to manage sensitive information like passwords. You can read more about securing secrets in <a href="https://dev.to/vvasylkovskyi/provision-aws-secret-manager-retrieval-of-secrets-4g6b">Provisioning AWS Secret Manager and Securing Secrets</a>.</p> <h2> Outputs </h2> <p>In <code>outputs.tf</code>, add the following to get the database endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">output</span> <span class="s2">"database_endpoint"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">rds</span><span class="p">.</span><span class="nx">database_endpoint</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The connection endpoint for the Postgres database."</span> <span class="p">}</span> </code></pre> </div> <h2> Testing the Setup </h2> <p>Let's provisiong the infrastructure by running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init terraform apply <span class="nt">--auto-approve</span> </code></pre> </div> <p>This will create the RDS database along with the rest of the infrastructure. After the apply is complete, you should see the database endpoint in the outputs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Outputs: database_endpoint <span class="o">=</span> <span class="s2">"postgres-db.cspuccciib8v.us-east-1.rds.amazonaws.com:5432"</span> </code></pre> </div> <p>You can use this endpoint to connect to your PostgresSQL database using any Postgres client. Let's test the connection using <code>psql</code> command-line tool:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Note, you need to install psql client first if you don't have it already</span> psql <span class="se">\</span> <span class="nt">--host</span><span class="o">=</span>postgres-db.cspuccciib8v.us-east-1.rds.amazonaws.com <span class="se">\</span> <span class="nt">--port</span><span class="o">=</span>5432 <span class="se">\</span> <span class="nt">--username</span><span class="o">=</span>your_username <span class="se">\</span> <span class="nt">--dbname</span><span class="o">=</span>my_app_db <span class="c"># Received prompt like this:</span> <span class="o">&gt;</span> Password <span class="k">for </span>user your_username: <span class="c"># Enter the password you specified earlier</span> <span class="c"># You should see the psql prompt if the connection is successful:</span> psql <span class="o">(</span>17.5, server 15.14<span class="o">)</span> SSL connection <span class="o">(</span>protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, compression: off, ALPN: none<span class="o">)</span> Type <span class="s2">"help"</span> <span class="k">for </span>help. <span class="nv">my_app_db</span><span class="o">=&gt;</span> </code></pre> </div> <p>And you are connected to your PostgresSQL database running on AWS RDS! Now you can start creating tables, inserting data, and running queries.</p> <h2> Destroying Infra </h2> <p>Remember, infra has costs. When you are done experimenting, you can destroy the infra like follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Conclusion </h2> <p>In this guide, we learned how to provision a managed PostgresSQL database using Amazon RDS with Terraform. We created a dedicated RDS module, defined security groups, and subnet groups, and integrated the database into our existing infrastructure. With the database up and running, you can now build applications that leverage its capabilities for data storage and retrieval.</p> <p>Usually the connection to the database should be done from application servers running in private subnets for security reasons. In production scenarios, consider additional aspects such as automated backups, monitoring, scaling, and high availability configurations. Explore more about RDS features in the <a href="https://docs.aws.amazon.com/rds/index.html" rel="noopener noreferrer">Amazon RDS Documentation</a>.</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provision-aws-secret-manager-retrieval-of-secrets-4g6b">AWS Secrets Manager</a> | <strong>Next:</strong> <a href="https://dev.to/vvasylkovskyi/load-test-4agk">Load Testing Infrastructure</a></p> aws database postgres terraform Viktor Vasylkovskyi Wed, 06 May 2026 15:56:10 +0000 https://dev.to/vvasylkovskyi/provision-aws-secret-manager-retrieval-of-secrets-4g6b https://dev.to/vvasylkovskyi/provision-aws-secret-manager-retrieval-of-secrets-4g6b <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provision-cloudfront-cdn-with-terraform-94m">CloudFront CDN with Terraform</a></p> <p>Every modern web app has secrets that need to be shared securely with it. You web application may need to have a environment variable like an API key. That key should be stored in <a href="https://aws.amazon.com/secrets-manager/" rel="noopener noreferrer">AWS secrets manager</a>, it is a great use case for us to learn about how to give access to instance to the secret.</p> <h2> Overview </h2> <p>We are going to create infra same as before but with the secrets manager integrated</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fosbwo11zjun6hxlpspp4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fosbwo11zjun6hxlpspp4.png" alt=" " width="800" height="282"></a></p> <h2> Github Repository </h2> <p>This guide full code is available in <a href="https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v7-secrets" rel="noopener noreferrer">https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v7-secrets</a>. Feel free to clone it and follow along!</p> <h2> Creating a Secret in AWS Secret Manager </h2> <p>Now lets add the actual secrets. We need to add secrets only once, and then reference them. This is the process that we will repeat everytime the secret has to be updated. Let's do this from a command line using <code>aws</code> cli:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws secretsmanager create-secret <span class="se">\</span> <span class="nt">--name</span> <span class="s2">"my_app/v1/credentials"</span> <span class="se">\</span> <span class="nt">--description</span> <span class="s2">"Application credentials"</span> <span class="se">\</span> <span class="nt">--secret-string</span> <span class="s1">'{ "my_api_key": "your-api-key", }'</span> </code></pre> </div> <p>This command will create the secret values. If everything goes well, you should see an output like below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">{</span> <span class="s2">"ARN"</span>: <span class="s2">"arn:aws:secretsmanager:us-east-1:088656249151:secret:&lt;your-service&gt;/&lt;some-path&gt;/credentials-MhS9Um"</span>, <span class="s2">"Name"</span>: <span class="s2">"&lt;your-service&gt;/&lt;some-path&gt;/credentials"</span>, <span class="s2">"VersionId"</span>: <span class="s2">"61c33df3-6e38-4f7f-8b9d-fda8bad3c880"</span> <span class="o">}</span> </code></pre> </div> <p>That output indicates your newly created secrets container with the secret.</p> <h2> Adding a secret </h2> <p>Now, we can add a dummy secret value. This can be done via UI, or CLI. Here is an example using CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">## Update secrets</span> <span class="c">#!/bin/bash</span> <span class="c"># Check if .env file exists</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> .env <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Error: .env file not found!"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># Read .env file and create JSON string</span> <span class="nv">JSON_STRING</span><span class="o">=</span><span class="s2">"{"</span> <span class="nv">FIRST</span><span class="o">=</span><span class="nb">true </span><span class="k">while </span><span class="nv">IFS</span><span class="o">=</span><span class="s1">'='</span> <span class="nb">read</span> <span class="nt">-r</span> key value<span class="p">;</span> <span class="k">do</span> <span class="c"># Skip empty lines and comments</span> <span class="o">[[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$key</span><span class="s2">"</span> <span class="o">||</span> <span class="s2">"</span><span class="nv">$key</span><span class="s2">"</span> <span class="o">=</span>~ ^# <span class="o">]]</span> <span class="o">&amp;&amp;</span> <span class="k">continue</span> <span class="c"># Remove quotes from value</span> <span class="nv">value</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$value</span><span class="s2">"</span> | <span class="nb">sed</span> <span class="s1">'s/^"//;s/"$//'</span><span class="si">)</span> <span class="c"># Add comma if not first item</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$FIRST</span><span class="s2">"</span> <span class="o">=</span> <span class="nb">true</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nv">FIRST</span><span class="o">=</span><span class="nb">false </span><span class="k">else </span><span class="nv">JSON_STRING</span><span class="o">=</span><span class="s2">"</span><span class="nv">$JSON_STRING</span><span class="s2">,"</span> <span class="k">fi</span> <span class="c"># Add key-value pair to JSON</span> <span class="nv">JSON_STRING</span><span class="o">=</span><span class="s2">"</span><span class="nv">$JSON_STRING</span><span class="se">\"</span><span class="nv">$key</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="nv">$value</span><span class="se">\"</span><span class="s2">"</span> <span class="k">done</span> &lt; .env <span class="nv">JSON_STRING</span><span class="o">=</span><span class="s2">"</span><span class="nv">$JSON_STRING</span><span class="s2">}"</span> <span class="c"># Check if secret exists</span> <span class="k">if </span>aws secretsmanager describe-secret <span class="nt">--secret-id</span> <span class="s2">"my_app/v1/credentials"</span> <span class="o">&gt;</span>/dev/null 2&gt;&amp;1<span class="p">;</span> <span class="k">then</span> <span class="c"># Update existing secret</span> aws secretsmanager update-secret <span class="se">\</span> <span class="nt">--secret-id</span> <span class="s2">"my_app/v1/credentials"</span> <span class="se">\</span> <span class="nt">--secret-string</span> <span class="s2">"</span><span class="nv">$JSON_STRING</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Secret updated successfully!"</span> <span class="k">else</span> <span class="c"># Create new secret</span> aws secretsmanager create-secret <span class="se">\</span> <span class="nt">--name</span> <span class="s2">"portfolio/app/credentials"</span> <span class="se">\</span> <span class="nt">--description</span> <span class="s2">"Application credentials"</span> <span class="se">\</span> <span class="nt">--secret-string</span> <span class="s2">"</span><span class="nv">$JSON_STRING</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Secret created successfully!"</span> <span class="k">fi</span> </code></pre> </div> <p>The above script will read the <code>.env</code> file from a local folder, convert it to JSON format, and then either create a new secret or update an existing one in AWS Secrets Manager.</p> <p>Now let's create an <code>.env</code> file in the same folder as the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">my_api_key</span><span class="o">=</span><span class="s2">"your-api-key"</span> <span class="c"># Note, the new line is important at the end of the file</span> </code></pre> </div> <p>Let's run the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bash update-secrets.sh <span class="c"># Output below</span> <span class="o">{</span> <span class="s2">"ARN"</span>: <span class="s2">"arn:aws:secretsmanager:us-east-1:088656249151:secret:my_app/v1/credentials-5x50LZ"</span>, <span class="s2">"Name"</span>: <span class="s2">"my_app/v1/credentials"</span>, <span class="s2">"VersionId"</span>: <span class="s2">"8202b548-5236-45d2-94f4-4d87d146ad00"</span> <span class="o">}</span> Secret updated successfully! </code></pre> </div> <h2> Provisioning AWS Secret Manager and using Secrets </h2> <p>Let's start using the secrets in our infrastructure:</p> <h3> Retrieving Secret Container </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/secrets/main.tf</span> <span class="nx">data</span> <span class="s2">"aws_caller_identity"</span> <span class="s2">"current"</span> <span class="p">{}</span> <span class="nx">data</span> <span class="s2">"aws_secretsmanager_secret"</span> <span class="s2">"app_secrets"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">credentials_name</span> <span class="p">}</span> </code></pre> </div> <p>The code above defines a new secret in AWS Secrets Manager. It doesn't contain the actual secret value, just metadata about the secret. The <code>name</code> parameter should match the secret name you created using AWS CLI.</p> <p><code>data "aws_caller_identity" "current" {}</code> is a special AWS data source that provides information about the AWS account and IAM principal (user or role) currently being used to make API calls. It requires no arguments and returns three key pieces of information:</p> <ul> <li> <code>account_id</code> - Your AWS account number</li> <li> <code>arn</code> - The ARN (Amazon Resource Name) of the IAM user or role</li> <li> <code>user_id</code> - The unique identifier of the IAM user or role</li> </ul> <h3> Getting Secret Value </h3> <p>Next, we will define a data source to retrieve the secret value:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/secrets/main.tf</span> <span class="nx">data</span> <span class="s2">"aws_secretsmanager_secret_version"</span> <span class="s2">"current"</span> <span class="p">{</span> <span class="nx">secret_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_secretsmanager_secret</span><span class="p">.</span><span class="nx">app_secrets</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>We are using <code>id</code> from the previous data source to find the correct secret. By default it gets the latest version of the secret.</p> <p>Since the secret is a JSON string, we use <code>jsondecode</code> to convert this into Terraform map. We have to provide the <code>variables.tf</code> and <code>outputs.tf</code> files as well:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/secrets/variables.tf</span> <span class="nx">variable</span> <span class="s2">"credentials_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/secrets/outputs.tf</span> <span class="nx">output</span> <span class="s2">"secrets"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">jsondecode</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">aws_secretsmanager_secret_version</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">secret_string</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Now, to use it in main module and in our ec-2 instance, we can do the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">module</span> <span class="s2">"secrets"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/secrets"</span> <span class="nx">credentials_name</span> <span class="p">=</span> <span class="s2">"my_app/v1/credentials"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"ec2_first_instance"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/ec2"</span> <span class="nx">instance_ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">security_group</span><span class="p">.</span><span class="nx">security_group_id</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">public_subnet_ids</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">ssh_public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="nx">ssh_key_name</span> <span class="p">=</span> <span class="s2">"ec2-key-first-instance"</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> #!/bin/bash sudo apt-get update -y sudo apt-get install -y docker.io sudo systemctl start docker sudo systemctl enable docker # Add user to docker group sudo usermod -aG docker $USERNAME sudo docker run -d -p 80:80 \ -e MY_API_KEY=${module.secrets.secrets.my_api_key} \ nginx </span><span class="no"> EOF </span><span class="p">}</span> <span class="nx">module</span> <span class="s2">"ec2_second_instance"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/ec2"</span> <span class="nx">instance_ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">security_group</span><span class="p">.</span><span class="nx">security_group_id</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">public_subnet_ids</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="nx">ssh_public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="c1"># Note, you can use the same public key for both instances, but not recommended for production</span> <span class="nx">ssh_key_name</span> <span class="p">=</span> <span class="s2">"ec2-key-second-instance"</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> #!/bin/bash sudo apt-get update -y sudo apt-get install -y docker.io sudo systemctl start docker sudo systemctl enable docker # Add user to docker group sudo usermod -aG docker $USERNAME sudo docker run -d -p 80:80 \ -e MY_API_KEY=${module.secrets.secrets.my_api_key} \ nginx </span><span class="no"> EOF </span><span class="p">}</span> </code></pre> </div> <p>Note that we are passing the secret value as an environment variable to the docker container using <code>-e</code> (environment variable) flag. Let's apply the changes here to ensure nothing breaks so far. Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init terraform apply <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Testing the setup </h2> <p>To test if our setup is working, we can SSH into our EC-2 instance and check if the environment variable is set correctly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh-add path/to/your/private-key.pem <span class="c"># Adds your private key to the ssh-agent</span> ssh ubuntu@&lt;EC2_PUBLIC_IP&gt; <span class="c"># Replace with your EC2 public IP</span> <span class="c">## Inside the EC2 instance, run:</span> ubuntu@ip-10-0-61-134:~<span class="nv">$ </span><span class="nb">sudo </span>docker ps <span class="c"># Outputs:</span> CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e4dba1c33ac9 nginx <span class="s2">"/docker-entrypoint.…"</span> 3 seconds ago Up 1 second 0.0.0.0:80-&gt;80/tcp, :::80-&gt;80/tcp recursing_haslett </code></pre> </div> <p>The above command shows that our nginx container is running. Now, let's check if the environment variable is set correctly inside the container:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>docker <span class="nb">exec</span> <span class="nt">-it</span> e4dba1c33ac9 /bin/bash <span class="c"># Replace with your container ID, you can get it from `docker ps` command</span> <span class="c">## Inside the container</span> root@e4dba1c33ac9:/# <span class="nb">echo</span> <span class="nv">$MY_API_KEY</span> <span class="c">## Outputs</span> your-api-key </code></pre> </div> <h2> Destroying Infra </h2> <p>Remember, infra has costs. When you are done experimenting, you can destroy the infra like follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Conclusion </h2> <p>So far this might have worked, but the secrets now get stored in plain text on the EC-2 instance. This is not ideal from security perspective. For instance, anyone with SSH access to the EC-2 instance can see the user data as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://169.254.169.254/latest/user-data <span class="c"># Reveals user data in plain text</span> <span class="c">#!/bin/bash</span> <span class="nb">sudo </span>apt-get update <span class="nt">-y</span> <span class="nb">sudo </span>apt-get <span class="nb">install</span> <span class="nt">-y</span> docker.io <span class="nb">sudo </span>systemctl start docker <span class="nb">sudo </span>systemctl <span class="nb">enable </span>docker <span class="c"># Add user to docker group</span> <span class="nb">sudo </span>usermod <span class="nt">-aG</span> docker <span class="nv">$USERNAME</span> <span class="nb">sudo </span>docker run <span class="nt">-d</span> <span class="nt">-p</span> 80:80 <span class="se">\</span> <span class="nt">-e</span> <span class="nv">MY_API_KEY</span><span class="o">=</span>your-api-key <span class="se">\</span> nginx </code></pre> </div> <p>So while this tutorial shows how to setup the secrets store with AWS (Which you should do), the retrieval of secrets approach is not secure. Although it works. Providing a secure way is our of scope for now, since we are focusing on setting up a running infra rather than secure. Baby steps.</p> <p>Next, we will explore the next very important resource in AWS - The RDS (Relational Database Service) and see how to provision a managed database in AWS.</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provision-cloudfront-cdn-with-terraform-94m">CloudFront CDN with Terraform</a> | <strong>Next:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-postgressql-rdbms-on-aws-with-terraform-apc">Provisioning PostgreSQL RDS</a></p> aws devops security terraform Viktor Vasylkovskyi Wed, 06 May 2026 15:55:36 +0000 https://dev.to/vvasylkovskyi/provision-cloudfront-cdn-with-terraform-94m https://dev.to/vvasylkovskyi/provision-cloudfront-cdn-with-terraform-94m <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-application-load-balancer-and-connecting-it-to-ec-2-instance-using-terraform-4po7">Application Load Balancer SSL</a></p> <p>Previously we have seen how to setup an EC-2 instance, run a simple web server and expose it at your domain using Route53. This allows us to access our web server using HTTP at port 80. If you haven't read about it, please refer to the previous notes:</p> <ul> <li><a href="https://dev.to/vvasylkovskyi/deploying-ec2-instance-on-aws-with-terraform-2h00">Deploying EC2 instance on AWS with Terraform</a></li> <li><a href="https://dev.to/vvasylkovskyi/provision-dns-records-with-terraform-2oja">Provision DNS records with Terraform</a></li> </ul> <p>The natural next step in that setup is to use HTTPS (HTTP + SSL) and enforce access at port 443 instead. We will do it here by adding Cloudfront and ACM to our terraform setup. Let's dive in.</p> <h2> Adding Cloudfront distribution </h2> <p>I will confess that it is not super easy to add CloudFront + ACM for HTTPS for a beginner, so I will break down the steps from simplest cloud architecture to most complicated one hopefully clarifying the steps and the reason for taking them.</p> <p>First step to add an HTTPS using Cloudfront is naturally to create a Cloudfront distribution. Cloudfront distribution is a CDN network that expands copies of your data towards other geographical locations. From the programmer point of view, Cloudfront is a URL - the distribution URL that uses the content from the <code>origin</code>. Hence these are the two fundamental pieces that we need for now to make sure the distribution works. So let's dive in.</p> <h3> Adding Cloudfront - Creating Origin Server </h3> <p>First thing is to define our origin endpoint. We can do it using Route53, where the origin is a URL pointing to our Ec-2 instance. Let's do it<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/dns/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_route53_zone"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"viktorvasylkovskyi.com"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"origin"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">main_zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">domain_name</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">ttl</span> <span class="p">=</span> <span class="mi">300</span> <span class="nx">records</span> <span class="p">=</span> <span class="p">[</span><span class="kd">var</span><span class="p">.</span><span class="nx">origin_ip</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Make sure to add the variables in <code>variables.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/dns/variables.tf</span> <span class="k">variable</span> <span class="s2">"main_zone_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"domain_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"origin_ip"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>And the origin_ip is going to be the public IP of our Ec-2 instance. So in the main <code>tf</code> file we need to update the module call:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># main.tf</span> <span class="k">module</span> <span class="s2">"dns"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/dns"</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="s2">"origin.your-domain.com"</span> <span class="nx">main_zone_id</span> <span class="p">=</span> <span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">origin_ip</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">public_ip</span> <span class="p">}</span> </code></pre> </div> <p>And let's make sure to output the FQDN of our origin:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/dns/outputs.tf</span> <span class="k">output</span> <span class="s2">"origin_dns_record"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_route53_record</span><span class="p">.</span><span class="nx">origin</span><span class="p">.</span><span class="nx">fqdn</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The FQDN of the origin Route53 record"</span> <span class="p">}</span> </code></pre> </div> <p>You can test now by running <code>terraform apply</code>. Note, this <code>origin.your-domain.com</code> is going to be available on HTTP now.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy40d5whd1guo2f5iksii.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy40d5whd1guo2f5iksii.png" alt=" " width="534" height="144"></a></p> <h3> Adding Cloudfront - Define Distribution </h3> <p>Now that we have an origin, we can create distribution:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/cloudfront/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_cloudfront_distribution"</span> <span class="s2">"cdn"</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">default_root_object</span> <span class="p">=</span> <span class="s2">"index.html"</span> <span class="nx">origin</span> <span class="p">{</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">aws_route53_origin_fqdn</span> <span class="nx">origin_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">aws_route53_origin_fqdn</span> <span class="nx">custom_origin_config</span> <span class="p">{</span> <span class="nx">http_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">https_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">origin_protocol_policy</span> <span class="p">=</span> <span class="s2">"http-only"</span> <span class="nx">origin_ssl_protocols</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"TLSv1.2"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">default_cache_behavior</span> <span class="p">{</span> <span class="nx">allowed_methods</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"GET"</span><span class="p">,</span> <span class="s2">"HEAD"</span><span class="p">]</span> <span class="nx">cached_methods</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"GET"</span><span class="p">,</span> <span class="s2">"HEAD"</span><span class="p">]</span> <span class="nx">target_origin_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">aws_route53_origin_fqdn</span> <span class="nx">forwarded_values</span> <span class="p">{</span> <span class="nx">query_string</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">cookies</span> <span class="p">{</span> <span class="nx">forward</span> <span class="p">=</span> <span class="s2">"none"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">viewer_protocol_policy</span> <span class="p">=</span> <span class="s2">"redirect-to-https"</span> <span class="nx">min_ttl</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">default_ttl</span> <span class="p">=</span> <span class="mi">3600</span> <span class="nx">max_ttl</span> <span class="p">=</span> <span class="mi">86400</span> <span class="p">}</span> <span class="nx">price_class</span> <span class="p">=</span> <span class="s2">"PriceClass_100"</span> <span class="nx">viewer_certificate</span> <span class="p">{</span> <span class="nx">cloudfront_default_certificate</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">restrictions</span> <span class="p">{</span> <span class="nx">geo_restriction</span> <span class="p">{</span> <span class="nx">restriction_type</span> <span class="p">=</span> <span class="s2">"none"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Whoa! that is a lot of configs. One of the main pieces there is the <code>target_origin_id</code>. This will be pointing to our <code>origin.your-domain.com</code>. For now we will use <code>cloudfront_default_certificate</code> which is CloudFront certificate.</p> <p>Let's add a variable and test output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/cloudfront/variables.tf</span> <span class="k">variable</span> <span class="s2">"aws_route53_origin_fqdn"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>And output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/cloudfront/outputs.tf</span> <span class="k">output</span> <span class="s2">"cloudfront_distribution_domain_name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_cloudfront_distribution</span><span class="p">.</span><span class="nx">cdn</span><span class="p">.</span><span class="nx">domain_name</span> <span class="p">}</span> </code></pre> </div> <p>Also, if you followed through previous article on setting up the API Gateway, then make sure to remove the API Gateway related code from the <code>main.tf</code> and <code>variables.tf</code> files as we are not using it here. Additionally, ensure that you have the security group allowing HTTP from anywhere:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/security_group/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Security Group for API"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="p">...</span> <span class="nx">rest</span> <span class="nx">of</span> <span class="nx">the</span> <span class="nx">code</span> <span class="p">...</span> <span class="p">}</span> </code></pre> </div> <p>Finally, update the <code>main.tf</code> file to pass the origin FQDN to CloudFront module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># main.tf</span> <span class="k">module</span> <span class="s2">"cloudfront"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/cloudfront"</span> <span class="nx">aws_route53_origin_fqdn</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">dns</span><span class="p">.</span><span class="nx">origin_dns_record</span> <span class="p">}</span> </code></pre> </div> <p>Also, ensure that we have outputs for CloudFront distribution domain name:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># outputs.tf</span> <span class="k">output</span> <span class="s2">"cloudfront_distribution_domain_name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_cloudfront_distribution</span><span class="p">.</span><span class="nx">cdn</span><span class="p">.</span><span class="nx">domain_name</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"cloudfront_distribution_hosted_zone_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_cloudfront_distribution</span><span class="p">.</span><span class="nx">cdn</span><span class="p">.</span><span class="nx">hosted_zone_id</span> <span class="p">}</span> </code></pre> </div> <h2> Apply changes </h2> <p>Install the new module with <code>terraform init</code> and then run <code>terraform apply</code> and observe the <code>cloudfront_distribution_domain_name</code> output. It should return something like<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>d123456789abcdef.cloudfront.net. <span class="c"># example URL</span> </code></pre> </div> <p>If everything went well then you should be able to open the URL in the browser. (Notice the URL in browser)</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxodoeopdtjpa8d1fyzes.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxodoeopdtjpa8d1fyzes.png" alt=" " width="466" height="134"></a></p> <h2> Provision SSL Certificate </h2> <p>You can follow the previous guide on <a href="//./provision-ssl-certificate">Provisioning SSL Certificate</a> to provision the SSL certificate using ACM. Ensure that you have the certificate ARN available for use in the API Gateway module.</p> <h3> Adding CloudFront Distribution </h3> <p>In the next step we are going to create a cloudfront distribution which contains an endpoint with HTTPS termination and is a place where we are going to place our SSL certificate. First we need to set a rule to wait for the certificate to be validated before creating the distribution.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/cloudfront/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_cloudfront_distribution"</span> <span class="s2">"cdn"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="kd">var</span><span class="p">.</span><span class="nx">acm_certificate</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Ensure to add a variable for it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/cloudfront/variables.tf</span> <span class="k">variable</span> <span class="s2">"acm_certificate"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>And bring this certificate from the <code>main.tf</code> file, from ssl module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># main.tf</span> <span class="k">module</span> <span class="s2">"ssl_acm"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/acm"</span> <span class="nx">aws_route53_zone_id</span> <span class="p">=</span> <span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="p">}</span> <span class="k">module</span> <span class="s2">"cloudfront_cdn"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/cloudfront"</span> <span class="nx">aws_route53_origin_fqdn</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">aws_route53_record</span><span class="p">.</span><span class="nx">origin_dns_record</span> <span class="nx">acm_certificate</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">ssl_acm</span><span class="p">.</span><span class="nx">aws_acm_certificate_arn</span> <span class="p">}</span> </code></pre> </div> <h3> Use SSL Certificate in CloudFront </h3> <p>We can now change the <strong>Viewer certificate:</strong> on CloudFront to use our validated ACM certificate for <a href="https://www.your-domain.com" rel="noopener noreferrer">https://www.your-domain.com</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/cloudfront/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_cloudfront_distribution"</span> <span class="s2">"cdn"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="kd">var</span><span class="p">.</span><span class="nx">acm_certificate</span><span class="p">]</span> <span class="p">...</span> <span class="nx">other</span> <span class="nx">code</span> <span class="p">...</span> <span class="nx">viewer_certificate</span> <span class="p">{</span> <span class="nx">acm_certificate_arn</span> <span class="p">=</span> <span class="nx">aws_acm_certificate</span><span class="p">.</span><span class="nx">cert</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">ssl_support_method</span> <span class="p">=</span> <span class="s2">"sni-only"</span> <span class="nx">minimum_protocol_version</span> <span class="p">=</span> <span class="s2">"TLSv1.2_2021"</span> <span class="p">}</span> <span class="p">...</span> <span class="nx">other</span> <span class="nx">code</span> <span class="p">...</span> <span class="p">}</span> </code></pre> </div> <h3> Route 53 Record Pointing to CloudFront </h3> <p>Now that Cloudfront setup is done, it is going to be available between our ec2 instance and our DNS. So now we have the Cloudfront doing SSL and sending requests to the ec2 instance. The last step is to enable our DNS Route 53 to send.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/dns/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"origin"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">main_zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"origin.viktorvasylkovskyi.com"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">ttl</span> <span class="p">=</span> <span class="mi">300</span> <span class="nx">records</span> <span class="p">=</span> <span class="p">[</span><span class="kd">var</span><span class="p">.</span><span class="nx">origin_ip</span><span class="p">]</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"www"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">main_zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"www.viktorvasylkovskyi.com"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">alias</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">target_domain_name</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">hosted_zone_id</span> <span class="nx">evaluate_target_health</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>And make sure to use the correct variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/dns/variables.tf</span> <span class="k">variable</span> <span class="s2">"main_zone_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"target_domain_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"hosted_zone_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"origin_ip"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>This sets an alias A record in Route 53 so your domain <code>www.your-domain.com</code> points to the CloudFront distribution instead of the EC2 directly.</p> <p>Finally, let's glue it all together in the <code>main.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># main.tf</span> <span class="k">resource</span> <span class="s2">"aws_route53_zone"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"your-domain.com"</span> <span class="p">}</span> <span class="k">module</span> <span class="s2">"ssl_acm"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/acm"</span> <span class="nx">aws_route53_zone_id</span> <span class="p">=</span> <span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="p">}</span> <span class="k">module</span> <span class="s2">"cloudfront_cdn"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/cloudfront"</span> <span class="nx">aws_route53_origin_fqdn</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">aws_route53_record</span><span class="p">.</span><span class="nx">origin_dns_record</span> <span class="nx">acm_certificate</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">ssl_acm</span><span class="p">.</span><span class="nx">aws_acm_certificate_arn</span> <span class="p">}</span> <span class="k">module</span> <span class="s2">"aws_route53_record"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/dns"</span> <span class="nx">main_zone_id</span> <span class="p">=</span> <span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">origin_ip</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">public_ip</span> <span class="nx">target_domain_name</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">cloudfront_cdn</span><span class="p">.</span><span class="nx">cloudfront_distribution_domain_name</span> <span class="nx">hosted_zone_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">cloudfront_cdn</span><span class="p">.</span><span class="nx">cloudfront_distribution_hosted_zone_id</span> <span class="p">}</span> </code></pre> </div> <p>Lastly, let's not forget to expose port 443 in our VPC security group:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># security_group.tf</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"my-app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"SSH Port"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">...</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"0.0.0.0/0"</span> <span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="p">...</span> <span class="p">}</span> </code></pre> </div> <h3> Output </h3> <p>Finally, let's add some output for debugging:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># output.tf</span> <span class="k">output</span> <span class="s2">"https_url"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"https://www.your-domain.com"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Public HTTPS endpoint for the EC2 app."</span> <span class="p">}</span> </code></pre> </div> <p>All should be working now, lets try to provision our new infrastructure. Run: <code>terraform apply --auto-approve</code>.</p> <h2> Final Validations </h2> <p>You should be able to open your app using <code>https://www.your-domain.com</code>. However if it is not working, we can troubleshoot:</p> <h3> Check DNS propagation </h3> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dig www.your-domain.com +short </code></pre> </div> <p>If it still returns an IP address, it means the A record is pointing directly to EC2 and not CloudFront — which won't support HTTPS directly.</p> <h2> Destroying Infra </h2> <p>Remember, infra has costs. When you are done experimenting, you can destroy the infra like follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Conclusion </h2> <p>We have covered quite a bit of things today:</p> <ul> <li>SSL certificate via ACM</li> <li>HTTPS access via CloudFront</li> <li>DNS validation using Route 53</li> <li>A secure, CDN-backed endpoint for your EC2 app at <a href="https://www.your-domain.com" rel="noopener noreferrer">https://www.your-domain.com</a> </li> </ul> <p>At this point you are well equipped to set you application in production as you now have HTTPS and a Ec-2 instance and can access to it via your domain name. Next, lets explore how to setup Application Load Balancer in front of our EC-2 instance. Continue reading the <a href="//./provisioning-alb-as-ssl-termination-and-ec2">Provision Application Load Balancer with Terraform</a>.</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-application-load-balancer-and-connecting-it-to-ec-2-instance-using-terraform-4po7">Application Load Balancer SSL</a> | <strong>Next:</strong> <a href="https://dev.to/vvasylkovskyi/provision-aws-secret-manager-retrieval-of-secrets-4g6b">AWS Secrets Manager</a></p> aws infrastructure terraform tutorial Viktor Vasylkovskyi Wed, 06 May 2026 15:55:14 +0000 https://dev.to/vvasylkovskyi/provisioning-application-load-balancer-and-connecting-it-to-ec-2-instance-using-terraform-4po7 https://dev.to/vvasylkovskyi/provisioning-application-load-balancer-and-connecting-it-to-ec-2-instance-using-terraform-4po7 <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-api-gateway-and-connecting-it-to-ec-2-instance-using-terraform-48ib">API Gateway SSL Termination</a></p> <p>In this notes we will continue improving on our infrastructure by adding HTTPS to our web app.</p> <p>Due to extra complexity in requirements of setting up the ALB, our network topology will suffer some changes. For example, a load balancer requires two availability zones to run in AWS. This means extra configuration overhead which we will have to work with.</p> <p>As a bonus, since we will have multiple availability zones, we are going to showcase in the end of this guide how to make ALB work with 2 EC-2 instances. And you could scale to as much instances as you want!</p> <h2> Architecture Overview </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa3m1le29ket44gb900uf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa3m1le29ket44gb900uf.png" alt=" " width="800" height="247"></a></p> <p>We will do the following:</p> <ul> <li>Modify Network so that we have two subnets in two availability zones. This is required for load balancer to work.</li> <li>Provision SSL certificate using ACM, for load balancer</li> <li>Provision Load Balancer itself, and make it proxy requests to the EC-2 instances</li> <li>Update Route53 to point our DNS to the Load Balancer</li> <li>Update Ec-2 to serve slightly different app for demonstration purposes</li> </ul> <h2> Github Repository </h2> <p>This guide full code is available in <a href="https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v6-ssl-load-balancer" rel="noopener noreferrer">https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v6-ssl-load-balancer</a>. Feel free to clone it and follow along!</p> <h2> Modify Network module to have multiple availability zones </h2> <p>In the <code>modules/network</code>, change the <code>main.tf</code> to include multiple availability zones:</p> <p>For simplicity, we will define only two public subnets, without private subnets.</p> <h4> List Availability Zones </h4> <p>First, we will define a resource listing availability zones.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/network/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"aws_availability_zones"</span> <span class="s2">"available"</span> <span class="p">{}</span> </code></pre> </div> <p>This resource returns a list of all AZ available in the region configured in the AWS credentials.</p> <h4> Add two public subnets </h4> <p>We will be using the terraform <code>count</code> directive. <code>count</code> is used as a loop, so we can define some resource multiple times. Since we only need two public subnets, naturaly the <code>count=2</code>. Let's write two public subnets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/network/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">cidr_block</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">2</span> <span class="err">+</span> <span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">)</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_availability_zones</span><span class="p">.</span><span class="nx">available</span><span class="p">.</span><span class="nx">names</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p>We are referencing the <code>data.aws_availability_zones.available.names</code> defined about to choose an availability name in our <code>vpc</code>. Besides that, we need the route table to define how network traffic is directed within our VPC (i.e., after internet gateway).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/network/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_internet_gateway"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The above code will create a route table for our VPC. The <code>route</code> says that all the outbound traffic <code>0.0.0.0/0</code> will be directed to the internet via the VPC's Internet Gateway. This piece of code essentially makes our subnet using this route table <em>public</em>. Now this route table is attached to our VPC, but not to subnet. To attach it to our two subnets, we need to create an association between subnets and this route table:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/network/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">].</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">public</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>Finally, we will make our route table a main one, just to leave explicit association.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/network/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_main_route_table_association"</span> <span class="s2">"public_main"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">public</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>Let's expose the public subnet IDs as output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/network/outputs.tf</span> <span class="nx">output</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"public_subnet_ids"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public</span><span class="p">[*].</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h2> Provision SSL Certificate </h2> <p>Let's create an ACM resource. You can follow the previous guide on <a href="https://dev.to/vvasylkovskyi/provisioning-ssl-certificate-109a">Provisioning SSL Certificate</a> to provision the SSL certificate using ACM. Ensure that you have the certificate ARN available for use in the API Gateway module.</p> <h2> Provisioning AWS Load Balancer </h2> <p>Now that we have network and SSL certificate, we can start provisioning load balancer itself.</p> <h3> Creating ALB </h3> <p>First, let's create ALB resource:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/alb/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_lb"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"my-app-alb"</span> <span class="nx">internal</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">load_balancer_type</span> <span class="p">=</span> <span class="s2">"application"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">my_alb</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnets</span> <span class="p">}</span> </code></pre> </div> <p>Load balancer will to be inserted in front of our public subnets (hence the <code>internal=false</code>), i.e, the subnets that we have just created. The <code>load_balancer_type=application</code> is the typical for most web applications. Alternatives are <code>network</code> and <code>gateway</code>.</p> <p>The security group for ALB needs to allow igress for 443 (SSL) and egress for everything is fine for now.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/alb/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"my_alb"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Security Group for Application Load Balancer"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Note we are passing multiple <code>subnets</code> created in the network module above. Let's define them as variable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/alb/variables.tf</span> <span class="nx">variable</span> <span class="s2">"subnets"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <h3> Provision ALB Target Group and ALB Listener </h3> <p>The ALB Listener and ALB Target Group are input and output rules of ALB. We will define that ALB accepts requests at port 443 and use <code>certificate_arn</code> our SSL certificate. The only action ALB will do is HTTPS termination and then a simple forward to the ALB Target group - our cluster.</p> <p><strong>Begin with defining ALB Listener:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/alb/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_lb_listener"</span> <span class="s2">"https"</span> <span class="p">{</span> <span class="nx">load_balancer_arn</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTPS"</span> <span class="nx">ssl_policy</span> <span class="p">=</span> <span class="s2">"ELBSecurityPolicy-2016-08"</span> <span class="nx">certificate_arn</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">acm_certificate_cert_arn</span> <span class="nx">default_action</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"forward"</span> <span class="nx">target_group_arn</span> <span class="p">=</span> <span class="nx">aws_lb_target_group</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">acm_certificate_cert</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>And now, we have to define our target group: <code>target_group_arn</code>.</p> <p><strong>Defining our Target Group:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/alb/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_lb_target_group"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"my-app-tg"</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">health_check</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">matcher</span> <span class="p">=</span> <span class="s2">"200-399"</span> <span class="nx">interval</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="mi">15</span> <span class="nx">healthy_threshold</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">unhealthy_threshold</span> <span class="p">=</span> <span class="mi">5</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_lb</span><span class="p">.</span><span class="nx">my_app</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>From our load balancer we will forward requests into our cluster, which contains Ec-2 instances listening on port 80. Since we are in our subnet, it is safe to use HTTP. The <code>health_check</code> block defines which URL the ALB uses to decide if the target containers are healthy. Here we define the base URL since this is our simples python server application. You can read more information about <a href="https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-health-checks.html" rel="noopener noreferrer">health checks on AWS docs</a>. <code>healthy_threshold</code> and <code>unhealthy_threshold</code> define how many (failed) healthchecks a target should be evaluated as healthy or unhealthy. These healthchecks are performed in intervals of seconds defined in interval.</p> <p>Let's not forget to define the additional variables in <code>variables.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/alb/variables.tf</span> <span class="nx">variable</span> <span class="s2">"subnets"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"acm_certificate_cert_arn"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"acm_certificate_cert"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">object</span><span class="p">({</span> <span class="nx">arn</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">id</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h3> Attach EC-2 to the Target Group </h3> <p>For Load Balancer to forward requests to the EC-2, we need to attach it to the target group. This is done using <code>aws_lb_target_group_attachment</code> resource:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_lb_target_group_attachment"</span> <span class="s2">"ec2_attachment"</span> <span class="p">{</span> <span class="nx">target_group_arn</span> <span class="p">=</span> <span class="nx">aws_lb_target_group</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ec2_first_instance_id</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">80</span> <span class="p">}</span> </code></pre> </div> <p>Note port 80 is the HTTP but it is fine, since we already checked for SSL at the load balancer listener.</p> <p>Let's add a variable for <code>ec2_first_instance_id</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/alb/variables.tf</span> <span class="nx">variable</span> <span class="s2">"ec2_first_instance_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>Note, we have called it <code>ec2_first_instance_id</code> because we will be adding more EC-2 instances later. Let's ensure setup works with one instance first... Oh well! It is not that hard. Let's prepare out load balancer to accept array of ec2 instances already</p> <p><strong>Variables</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/alb/variables.tf</span> <span class="nx">variable</span> <span class="s2">"ec2_instance_ids"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><strong>Attachment Resource</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/alb/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_lb_target_group_attachment"</span> <span class="s2">"ec2_attachment"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">ec2_instance_ids</span><span class="p">)</span> <span class="nx">target_group_arn</span> <span class="p">=</span> <span class="nx">aws_lb_target_group</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ec2_instance_ids</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">80</span> <span class="p">}</span> </code></pre> </div> <p>Note we are using the <code>count</code> directive to loop over all the EC-2 instance IDs passed in the variable <code>ec2_instance_ids</code>.</p> <p><strong>Outputs</strong></p> <p>And lets expose the DNS name and zone ID of the load balancer for later use in Route53:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/alb/outputs.tf</span> <span class="nx">output</span> <span class="s2">"dns_name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">dns_name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"zone_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">zone_id</span> <span class="p">}</span> </code></pre> </div> <h2> Update Route53 to Point to ALB </h2> <p>We have HTTPS on our ALB, now we have to make DNS point to ALB.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/dns/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"record"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">domain_name</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">alias</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_dns_name</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_zone_id</span> <span class="nx">evaluate_target_health</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>and Outputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/dns/outputs.tf</span> <span class="nx">output</span> <span class="s2">"www_dns_record"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_route53_record</span><span class="p">.</span><span class="nx">www</span><span class="p">.</span><span class="nx">fqdn</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The FQDN of the www Route53 record"</span> <span class="p">}</span> </code></pre> </div> <h2> Update Ec-2 to use the subnets from the network module </h2> <p>The Ec-2 instance also needs to be updated to use one of the two public subnets created in the network module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/ec2/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_key_pair"</span> <span class="s2">"ssh-key"</span> <span class="p">{</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_key_name</span> <span class="nx">public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">security_group_name</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">availability_zone</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">associate_public_ip_address</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_id</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="nx">aws_key_pair</span><span class="p">.</span><span class="nx">ssh-key</span><span class="p">.</span><span class="nx">key_name</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> #!/bin/bash sudo yum update -y || sudo apt-get update -y sudo yum install -y python3 || sudo apt-get install -y python3 echo "&lt;html&gt;&lt;body&gt;&lt;h1&gt;Hello from Terraform EC2!&lt;/h1&gt;&lt;/body&gt;&lt;/html&gt;" &gt; index.html nohup python3 -m http.server 80 &amp; </span><span class="no"> EOF </span><span class="p">}</span> </code></pre> </div> <h2> Now let's glue everything together in the Root Module </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">shared_credentials_files</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"./.aws-credentials"</span><span class="p">]</span> <span class="nx">profile</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/network"</span> <span class="nx">vpc_cidr</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">subnet_cidr</span> <span class="p">=</span> <span class="s2">"10.0.1.0/24"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">availability_zone</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"ec2_first_instance"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/ec2"</span> <span class="nx">instance_ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">availability_zone</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">public_subnet_ids</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">ssh_public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="nx">ssh_key_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_key_name</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_route53_zone"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"viktorvasylkovskyi.com"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"ssl_acm"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/acm"</span> <span class="nx">aws_route53_zone_id</span> <span class="p">=</span> <span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"alb"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/alb"</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">public_subnet_ids</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">acm_certificate_arn</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ssl_acm</span><span class="p">.</span><span class="nx">aws_acm_certificate_arn</span> <span class="nx">aws_acm_certificate_cert</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ssl_acm</span><span class="p">.</span><span class="nx">aws_acm_certificate_cert</span> <span class="nx">ec2_instance_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="p">.</span><span class="nx">ec2_first_instance</span><span class="p">.</span><span class="nx">instance_id</span><span class="p">]</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"aws_route53_record"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/dns"</span> <span class="nx">main_zone_id</span> <span class="p">=</span> <span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">target_domain_name</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">alb</span><span class="p">.</span><span class="nx">dns_name</span> <span class="nx">hosted_zone_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">alb</span><span class="p">.</span><span class="nx">zone_id</span> <span class="p">}</span> </code></pre> </div> <h2> Creating second EC-2 instance </h2> <p>We need to alter out ec2 module so that we can create multiple instances.</p> <h3> Single SSH Key Pair per EC-2 instance </h3> <p>One of the things we have to change is the SSH key pair. Each EC-2 instance needs to have its own key pair. So we will add a variable <code>ssh_key_name</code> to the ec2 module. Same to the <code>security_group_name</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/ec2/variables.tf</span> <span class="nx">variable</span> <span class="s2">"instance_ami"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"availability_zone"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"ssh_public_key"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"ssh_key_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"security_group_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>And int he <code>main.tf</code> of the ec2 module we will use this variable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/ec2/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_key_pair"</span> <span class="s2">"ssh-key"</span> <span class="p">{</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_key_name</span> <span class="nx">public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">security_group_name</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># ... rest of the code ...</span> </code></pre> </div> <h3> No hardcoding availability zone </h3> <p>We will also remove hardcoding of availability zone in the ec2 module, so that we can create multiple instances in different availability zones. Since we are already passing <code>subnet_id</code> to the ec2 module, we do not need to pass availability zone separately. So we can remove it from the variables and from the ec2 instance resource.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/ec2/variables.tf</span> <span class="nx">variable</span> <span class="s2">"instance_ami"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"security_group_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"ssh_public_key"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"ssh_key_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"security_group_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/ec2/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">associate_public_ip_address</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_id</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="nx">aws_key_pair</span><span class="p">.</span><span class="nx">ssh-key</span><span class="p">.</span><span class="nx">key_name</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> #!/bin/bash sudo yum update -y || sudo apt-get update -y sudo yum install -y python3 || sudo apt-get install -y python3 echo "&lt;html&gt;&lt;body&gt;&lt;h1&gt;Hello from Terraform EC2!&lt;/h1&gt;&lt;/body&gt;&lt;/html&gt;" &gt; index.html nohup python3 -m http.server 80 &amp; </span><span class="no"> EOF </span><span class="p">}</span> </code></pre> </div> <p>To create a second EC-2 instance, we can simply duplicate the <code>ec2_first_instance</code> module call and change the subnet to the second public subnet created in the network module.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">module</span> <span class="s2">"ec2_first_instance"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/ec2"</span> <span class="nx">instance_ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">security_group_name</span> <span class="p">=</span> <span class="s2">"first-ec2-instance"</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">public_subnet_ids</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">ssh_public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="nx">ssh_key_name</span> <span class="p">=</span> <span class="s2">"ec2-key-first-instance"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"ec2_second_instance"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/ec2"</span> <span class="nx">instance_ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">security_group_name</span> <span class="p">=</span> <span class="s2">"second-ec2-instance"</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">public_subnet_ids</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="nx">ssh_public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="c1"># Note, you can use the same public key for both instances, but not recommended for production</span> <span class="nx">ssh_key_name</span> <span class="p">=</span> <span class="s2">"ec2-key-second-instance"</span> <span class="p">}</span> <span class="c1"># ... other code ...</span> <span class="nx">module</span> <span class="s2">"alb"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/alb"</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">public_subnet_ids</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">acm_certificate_arn</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ssl_acm</span><span class="p">.</span><span class="nx">aws_acm_certificate_arn</span> <span class="nx">aws_acm_certificate_cert</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ssl_acm</span><span class="p">.</span><span class="nx">aws_acm_certificate_cert</span> <span class="nx">ec2_instance_ids</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ec2_first_instance</span><span class="p">.</span><span class="nx">instance_id</span><span class="p">,</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ec2_second_instance</span><span class="p">.</span><span class="nx">instance_id</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> Custom Initializing of ec-2 user data </h3> <p>To make things a little more interesting, let's change the <code>user_data</code> of the ec-2 instances to show which instance is serving the request. We can do that by changing the <code>user_data</code> in the ec2 module to accept a variable <code>user_data</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/ec2/variables.tf</span> <span class="nx">variable</span> <span class="s2">"instance_ami"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"security_group_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"ssh_public_key"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"ssh_key_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"security_group_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"user_data"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <h3> Setting user data in ec2 module, start docker container </h3> <p>To test our setup and load balancer work, we need to see both ec-2 instances serving different content. We can do that by passing different <code>user_data</code> to each ec-2 instance module call. Of course, in production you will probably want them to be the same to achieve redundancy and make load balancer worth its while. Here we are doing it for the demonstration purposes only.</p> <p>First, let's update the ec2 module to use the <code>user_data</code> variable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/ec2/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">security_group_id</span><span class="p">]</span> <span class="nx">associate_public_ip_address</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_id</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="nx">aws_key_pair</span><span class="p">.</span><span class="nx">ssh-key</span><span class="p">.</span><span class="nx">key_name</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">user_data</span> <span class="p">}</span> </code></pre> </div> <p>And now, we can pass different <code>user_data</code> to each ec-2 instance module call in the root module. Let's keep the <code>user_data</code> in the first ec-2 instance as is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"ec2_first_instance"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/ec2"</span> <span class="nx">instance_ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">public_subnet_ids</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">ssh_public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="nx">ssh_key_name</span> <span class="p">=</span> <span class="s2">"ec2-key-first-instance"</span> <span class="nx">security_group_name</span> <span class="p">=</span> <span class="s2">"first-ec2-instance"</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> #!/bin/bash sudo yum update -y || sudo apt-get update -y sudo yum install -y python3 || sudo apt-get install -y python3 echo "&lt;html&gt;&lt;body&gt;&lt;h1&gt;Hello from Terraform EC2!&lt;/h1&gt;&lt;/body&gt;&lt;/html&gt;" &gt; index.html nohup python3 -m http.server 80 &amp; </span><span class="no"> EOF </span><span class="p">}</span> </code></pre> </div> <p>And now, the second ec-2 instance will have different <code>user_data</code>. Let's make it server the docker image with nginx:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"ec2_second_instance"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/ec2"</span> <span class="nx">instance_ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">public_subnet_ids</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="nx">ssh_public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="c1"># Note, you can use the same public key for both instances, but not recommended for production</span> <span class="nx">ssh_key_name</span> <span class="p">=</span> <span class="s2">"ec2-key-second-instance"</span> <span class="nx">security_group_name</span> <span class="p">=</span> <span class="s2">"second-ec2-instance"</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> #!/bin/bash sudo apt-get update -y sudo apt-get install -y docker.io sudo systemctl start docker sudo systemctl enable docker # Add user to docker group sudo usermod -aG docker $USERNAME sudo docker run -d -p 80:80 nginx </span><span class="no"> EOF </span><span class="p">}</span> </code></pre> </div> <p>Finally, add outputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># outputs.tf</span> <span class="nx">output</span> <span class="s2">"ec2_first_instance_ip_address"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ec2_first_instance</span><span class="p">.</span><span class="nx">public_ip</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Elastic IP address allocated to the first EC2 instance."</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"ec2_second_instance_ip_address"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ec2_second_instance</span><span class="p">.</span><span class="nx">public_ip</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Elastic IP address allocated to the second EC2 instance."</span> <span class="p">}</span> </code></pre> </div> <h2> Testing the setup </h2> <p>Now run the following commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init terraform apply <span class="nt">--auto-approve</span> </code></pre> </div> <p>And observe the output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Outputs: ec2_first_instance_ip_address <span class="o">=</span> <span class="s2">"34.201.164.185"</span> ec2_second_instance_ip_address <span class="o">=</span> <span class="s2">"54.236.186.223"</span> </code></pre> </div> <p>Navigate to <code>https://www.your-domain.com</code> and see the magic happen!<br> Double check that you have two EC-2 instances serving the requests by refreshing the page multiple times.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq148emhz40887h27i0kr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq148emhz40887h27i0kr.png" alt=" " width="800" height="169"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fulqz2b0a7aydqxz80ub2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fulqz2b0a7aydqxz80ub2.png" alt=" " width="800" height="177"></a></p> <h2> Destroying Infra </h2> <p>Remember, infra has costs. When you are done experimenting, you can destroy the infra like follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Conclusion </h2> <p>Whoa! This was quite a journey. I am super glad you made it to the end. We have successfully provisioned an Application Load Balancer with SSL termination and connected it to multiple EC-2 instances using Terraform. This is a solid foundation for building scalable and secure web applications on AWS. For now this is the end of the road. However, there is lots of things to explore further, such as autoscaling groups, more complex health checks, and advanced routing rules.</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-api-gateway-and-connecting-it-to-ec-2-instance-using-terraform-48ib">API Gateway SSL Termination</a> | <strong>Next:</strong> <a href="https://dev.to/vvasylkovskyi/provision-cloudfront-cdn-with-terraform-94m">CloudFront CDN with Terraform</a></p> aws infrastructure terraform tutorial Viktor Vasylkovskyi Wed, 06 May 2026 15:54:40 +0000 https://dev.to/vvasylkovskyi/provisioning-api-gateway-and-connecting-it-to-ec-2-instance-using-terraform-48ib https://dev.to/vvasylkovskyi/provisioning-api-gateway-and-connecting-it-to-ec-2-instance-using-terraform-48ib <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-ssl-certificate-109a">Provision SSL Certificate</a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fldq8hvulkgixsfbkmfm4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fldq8hvulkgixsfbkmfm4.png" alt=" " width="800" height="237"></a></p> <p>The architecture of our infrastructure is going to change a bit now, as we have to accommodate the API Gateway in between our Ec-2 and the DNS resolution. The overall architecture looks like this:</p> <ul> <li>Provision SSL certificate using ACM, for our API Gateway</li> <li>Provision API Gateway itself, and make it proxy requests to EC-2 instance</li> <li>Update Route53 to point our DNS to the Load Balancer</li> <li>Update EC-2 Instance to enable port 80, and update the security group with rule to accept incoming traffic only from API Gateway.</li> </ul> <h2> Github Repository </h2> <p>This guide full code is available in <a href="https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v5-api-gateway" rel="noopener noreferrer">https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v5-api-gateway</a>. Feel free to clone it and follow along!</p> <h2> Provision SSL Certificate </h2> <p>You can follow the previous guide on <a href="https://dev.to/vvasylkovskyi/provisioning-ssl-certificate-109a">Provisioning SSL Certificate</a> to provision the SSL certificate using ACM. Ensure that you have the certificate ARN available for use in the API Gateway module.</p> <h2> Provisioning AWS API Gateway </h2> <p>Now that we have network and SSL certificate, we can start provisioning the API Gateway itself.</p> <h3> Creating API Gateway </h3> <p>First, let's create API Gateway resource:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/api-gateway/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_apigatewayv2_api"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">api_name</span> <span class="nx">protocol_type</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="p">}</span> </code></pre> </div> <p>The above creates an API Container for a new API Gateway HTTP API (v2 is the newer version). We tell the API name an tell it that it is an HTTP API. It could be also web socket one if using <code>protocol_type = WEBSOCKET</code>.</p> <h3> Creating Integration to Ec2 </h3> <p>Now, we are going to define the integration between our ec2 and the new api gateway:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/api-gateway/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_apigatewayv2_integration"</span> <span class="s2">"ec2"</span> <span class="p">{</span> <span class="nx">api_id</span> <span class="p">=</span> <span class="nx">aws_apigatewayv2_api</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">integration_type</span> <span class="p">=</span> <span class="s2">"HTTP_PROXY"</span> <span class="nx">integration_uri</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ec2_public_url</span> <span class="nx">integration_method</span> <span class="p">=</span> <span class="s2">"ANY"</span> <span class="nx">payload_format_version</span> <span class="p">=</span> <span class="s2">"1.0"</span> <span class="p">}</span> </code></pre> </div> <p>We define the both <code>uri</code>s above - the API Gateway and the EC-2 instance. <code>integration_type</code> tells that it is an HTTP Proxy meaning that all requests are forwarded into <code>integration_url</code> as is. <code>payload_format_version</code> is simply to ensure the request/response payload use HTTP/1.1 passthrough formatting.</p> <p>Notice that <code>ec2_public_url</code> has to be a full URL like: <code>"http://&lt;public-ec2-ip&gt;:8080"</code></p> <h3> Integration Routes </h3> <p>Now that we have integration done, we need to specify when to activate it, i.e., on which request route. In our case it is all the requests should be routed to EC-2, so we need to say "whatever the request route/path, proxy it to ec2". Saying it in terraform language is like following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/api-gateway/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_apigatewayv2_route"</span> <span class="s2">"proxy"</span> <span class="p">{</span> <span class="nx">api_id</span> <span class="p">=</span> <span class="nx">aws_apigatewayv2_api</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route_key</span> <span class="p">=</span> <span class="s2">"ANY /{proxy+}"</span> <span class="nx">target</span> <span class="p">=</span> <span class="s2">"integrations/${aws_apigatewayv2_integration.ec2.id}"</span> <span class="p">}</span> </code></pre> </div> <p>The <code>ANY</code> - match all HTTP methods: <code>GET</code>, <code>POST</code>, <code>PUT</code>, etc., <code>/{proxy+}</code> is to match any pathname, and the <code>target</code> is naturally the target our ec2 integration.</p> <h3> Adding Stage </h3> <p>API Gateways require definition of deployment and stage. Stages exist because API Gateway is designed for API lifecycle management. They allow us define environments like <code>dev</code> vs <code>prod</code>. Let's start coding it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/api-gateway/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_apigatewayv2_stage"</span> <span class="s2">"default"</span> <span class="p">{</span> <span class="nx">api_id</span> <span class="p">=</span> <span class="nx">aws_apigatewayv2_api</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"$default"</span> <span class="nx">auto_deploy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p>We will specify <code>$default</code> stage meaning we do not have production and dev environment, we only have 1 environment, since this is enough for our use case. Note, it bigger projects, we could have wanted multiple stages for better deployment strategies of API like separate environments (dev/staging/prod) but only a single API definition.</p> <ul> <li> <a href="https://api.example.com/dev/" rel="noopener noreferrer">https://api.example.com/dev/</a>... → forwards to dev EC2</li> <li> <a href="https://api.example.com/prod/" rel="noopener noreferrer">https://api.example.com/prod/</a>... → forwards to prod EC2</li> </ul> <p>the <code>auto_deploy = true</code> means changes to routes/integrations are automatically deployed (no need for manual deploys).</p> <h3> Custom Domain Mapping </h3> <p>Finally we have all the integration and rules in place, we are going to move a big higher in the picture and changing DNS and SSL to our Gateway API. It is pretty simple to do:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/api-gateway/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_apigatewayv2_domain_name"</span> <span class="s2">"custom"</span> <span class="p">{</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">domain_name</span> <span class="nx">domain_name_configuration</span> <span class="p">{</span> <span class="nx">certificate_arn</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">acm_certificate_arn</span> <span class="nx">endpoint_type</span> <span class="p">=</span> <span class="s2">"REGIONAL"</span> <span class="nx">security_policy</span> <span class="p">=</span> <span class="s2">"TLS_1_2"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>We simply specify the <code>domain_name</code> for DNS and the <code>certificate_arn</code> for SSL. <code>endpoint_type = "REGIONAL"</code> means that the API Gateway is deployed regionally and is not optimized for edge like for example in cloudfront. Finally we glue it all together in the mapping:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_apigatewayv2_api_mapping"</span> <span class="s2">"mapping"</span> <span class="p">{</span> <span class="nx">api_id</span> <span class="p">=</span> <span class="nx">aws_apigatewayv2_api</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="nx">aws_apigatewayv2_domain_name</span><span class="p">.</span><span class="nx">custom</span><span class="p">.</span><span class="nx">id</span> <span class="nx">stage</span> <span class="p">=</span> <span class="nx">aws_apigatewayv2_stage</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>Together, these ensure our API is available at <a href="https://api.example.com" rel="noopener noreferrer">https://api.example.com</a> instead of the ugly default abcdef123.execute-api.us-east-1.amazonaws.com.</p> <h3> Adding Route53 alias record </h3> <p>Finally, we want to make our DNS entry point at the custom domain in API Gateway:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/dns/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"www"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">main_zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">domain_name</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">alias</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">target_domain_name</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">hosted_zone_id</span> <span class="nx">evaluate_target_health</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>With new accepted variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/dns/variables.tf</span> <span class="nx">variable</span> <span class="s2">"target_domain_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"hosted_zone_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>And we will pass them from the outputs of API Gateway module. So first, let's define the outputs in <code>modules/api-gateway/outputs.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/api-gateway/outputs.tf</span> <span class="nx">output</span> <span class="s2">"aws_apigatewayv2_domain_name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_apigatewayv2_domain_name</span><span class="p">.</span><span class="nx">custom</span><span class="p">.</span><span class="nx">domain_name_configuration</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">target_domain_name</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The custom domain name for the API Gateway"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"aws_apigatewayv2_hosted_zone_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_apigatewayv2_domain_name</span><span class="p">.</span><span class="nx">custom</span><span class="p">.</span><span class="nx">domain_name_configuration</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">hosted_zone_id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The hosted zone ID for the API Gateway custom domain"</span> <span class="p">}</span> </code></pre> </div> <h2> Using it as a module </h2> <p>Now that we have defined all the moving pieces of the API Gateway module, we can use it in our terraform as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">module</span> <span class="s2">"api_gateway"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/api-gateway"</span> <span class="nx">api_name</span> <span class="p">=</span> <span class="s2">"my-api"</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="s2">"myapp.example.com"</span> <span class="nx">acm_certificate_arn</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ssl_acm</span><span class="p">.</span><span class="nx">aws_acm_certificate_arn</span> <span class="nx">ec2_public_url</span> <span class="p">=</span> <span class="s2">"http://${module.ec2.public_ip}:80"</span> <span class="p">}</span> </code></pre> </div> <h2> Updating Ec-2 firewall rules </h2> <p>We have added an API Gateway and told it that our ec2 is ready to listen on port 80. Next we need to update the firewall security groups of our ec-2 instance so that the port 80 is actually opened. Once it is opened, we will harden the rule by saying that it should accept connections only from our API Gateway. Let's update the Ec-2 security group. From <a href="https://www.iac-toolbox.com/blog/02-deploying-ec2-instance-with-terraform" rel="noopener noreferrer">Deploying EC2 instance on AWS with Terraform</a>, our security group originally looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"0.0.0.0/0"</span> <span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>We will update it with port 80:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"SSH port for API"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_ip_ranges</span><span class="p">.</span><span class="nx">apigw</span><span class="p">.</span><span class="nx">cidr_blocks</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>And the <code>cird_blocks</code> are the IP ranges that are allowed for that security group, in our case inbound traffic for port 80. The <code>data.aws_ip_ranges.apigw.cidr_blocks</code> come from the official AWS public IP ranges JSON. It will not work just like that, we need to make terraform fetch this JSON by writing it down:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"aws_ip_ranges"</span> <span class="s2">"apigw"</span> <span class="p">{</span> <span class="nx">services</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"API_GATEWAY"</span><span class="p">]</span> <span class="c1"># Only API Gateway IPs</span> <span class="nx">regions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"us-east-1"</span><span class="p">]</span> <span class="c1"># Your API Gateway region</span> <span class="p">}</span> </code></pre> </div> <p>We can also output them to see what IPs are those:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"apigw_ips"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_ip_ranges</span><span class="p">.</span><span class="nx">apigw</span><span class="p">.</span><span class="nx">cidr_blocks</span> <span class="p">}</span> </code></pre> </div> <h2> Testing </h2> <p>Now that we have all the code in place, I will let you glue the modules together. Once the code is ready, run <code>terraform init</code> and <code>terraform apply --auto-approve</code> and see that your infra is working now with the API Gateway!</p> <h2> Destroying Infra </h2> <p>Remember, infra has costs. When you are done experimenting, you can destroy the infra like follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Conclusion </h2> <p>And that is a wrap! We have provisioned the setup that achieves the following:</p> <ul> <li>Users hit <a href="https://www.example.com" rel="noopener noreferrer">https://www.example.com</a> </li> <li>DNS (Route 53) resolves to API Gateway</li> <li>API Gateway terminates SSL (using ACM cert)</li> <li>Routes any request → EC2 backend (via public IP).</li> </ul> <p>This architecture is great for simple APIs that need SSL offloading without the overhead of load balancers or CDNs. API Gateway handles scaling, SSL, and routing, while EC2 runs your application logic. Continue experimenting and building and follow into the next article.</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-ssl-certificate-109a">Provision SSL Certificate</a> | <strong>Next:</strong> <a href="//./08-application-load-balancer-ssl">Application Load Balancer SSL</a></p> api aws devops terraform Viktor Vasylkovskyi Wed, 06 May 2026 15:54:02 +0000 https://dev.to/vvasylkovskyi/provisioning-ssl-certificate-109a https://dev.to/vvasylkovskyi/provisioning-ssl-certificate-109a <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-ssl-termination-for-web-application-2ll8">SSL Termination Overview</a></p> <p>To enable SSL termination in AWS, you first need to provision an SSL certificate using AWS Certificate Manager (ACM). This certificate will be used by services like API Gateway or Application Load Balancer to encrypt traffic between your users and your application.</p> <p>In this guide, we will walk through the steps to request and validate an SSL certificate using Terraform. Then the certificate can be provisioned as a terraform module, and we will show how to use it in the next guides:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyg8dns502p06sri57azm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyg8dns502p06sri57azm.png" alt=" " width="800" height="269"></a></p> <h2> Github Repository </h2> <p>This guide full code is available in <a href="https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v4-acm-ssl" rel="noopener noreferrer">https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v4-acm-ssl</a>. Feel free to clone it and follow along!</p> <h2> Provision SSL Certificate </h2> <p>let's create an ACM resource. We will do that in new module: <code>modules/acm</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/acm/main.tf</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"us_east_1"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">shared_credentials_files</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"./.aws-credentials"</span><span class="p">]</span> <span class="nx">profile</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_acm_certificate"</span> <span class="s2">"cert"</span> <span class="p">{</span> <span class="k">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">us_east_1</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="s2">"your-domain.com"</span> <span class="nx">validation_method</span> <span class="p">=</span> <span class="s2">"DNS"</span> <span class="nx">subject_alternative_names</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"www.your-domain.com"</span><span class="p">,</span> <span class="s2">"your-domain.com"</span><span class="p">]</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Note, that ACM certificates for API Gateway must be created in <code>us-east-1</code> region, regardless of where your API Gateway is located. Hence, we define a separate AWS provider with alias <code>us_east_1</code> to handle this.</p> <p>The code above requests an SSL/TLS certificate from AWS Certificate Manager for your domain. We choose DNS validation (simplest in Terraform if using Route 53).Note that we are adding <code>lifecycle.create_before_destroy</code>. This is because in case you change something on this resource, since Application Load Balancer will be using the certificate, this directive allows to duplicate certificate, and replace old one before destroying it thus allowing application load balancer to switch certificates without issues.</p> <h3> DNS Validation via Route 53 </h3> <p>Next, we need to create the required DNS record to prove domain ownership to ACM.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/acm/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"cert_validation"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">dvo</span> <span class="nx">in</span> <span class="nx">aws_acm_certificate</span><span class="p">.</span><span class="nx">cert</span><span class="p">.</span><span class="nx">domain_validation_options</span> <span class="err">:</span> <span class="nx">dvo</span><span class="p">.</span><span class="nx">domain_name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">dvo</span><span class="p">.</span><span class="nx">resource_record_name</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">dvo</span><span class="p">.</span><span class="nx">resource_record_type</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">dvo</span><span class="p">.</span><span class="nx">resource_record_value</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">type</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">aws_route53_zone_id</span> <span class="nx">records</span> <span class="p">=</span> <span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">value</span><span class="p">]</span> <span class="nx">ttl</span> <span class="p">=</span> <span class="mi">60</span> <span class="p">}</span> </code></pre> </div> <p>In the code above, the <code>for_each</code> turns the set into a map indexed by <code>domain_name</code> (which is unique). We are dynamically generating multiple DNS records (1 per domain to validate) using <code>for_each</code>. <code>aws_acm_certificate.cert.domain_validation_options</code> is a list of instructions from AWS on how to validate your domain. We loop over each <code>dvo</code> (domain validation option), and create a map like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="p">{</span> <span class="s2">"www.your-domain.com"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"_xyz.www.your-domain.com."</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"CNAME"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"_abc.acm-validations.aws."</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This is how AWS verifies domain ownership: you create a DNS record with those values. The<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="nx">records</span> <span class="err">=</span> <span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">value</span><span class="p">]</span> <span class="nx">ttl</span> <span class="err">=</span> <span class="mi">60</span> </code></pre> </div> <ul> <li> <code>records</code>: The actual value to put in the DNS record (like _abc.acm-validations.aws.)</li> <li> <code>ttl</code>: Time-to-live (how long DNS resolvers cache it), set to 60 seconds for fast propagation.</li> </ul> <p>Next, we are adding a resource that tells AWS to wait for validation to complete before proceeding. It depends on the DNS record being correct.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/acm/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_acm_certificate_validation"</span> <span class="s2">"cert"</span> <span class="p">{</span> <span class="k">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">us_east_1</span> <span class="nx">certificate_arn</span> <span class="p">=</span> <span class="nx">aws_acm_certificate</span><span class="p">.</span><span class="nx">cert</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">validation_record_fqdns</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">for</span> <span class="nx">record</span> <span class="nx">in</span> <span class="nx">aws_route53_record</span><span class="p">.</span><span class="nx">cert_validation</span> <span class="err">:</span> <span class="nx">record</span><span class="p">.</span><span class="nx">fqdn</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Let's also output the certificate ARN for later use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># modules/acm/outputs.tf</span> <span class="k">output</span> <span class="s2">"aws_acm_certificate_arn"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_acm_certificate</span><span class="p">.</span><span class="nx">cert</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"aws_acm_certificate_cert"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_acm_certificate</span><span class="p">.</span><span class="nx">cert</span> <span class="p">}</span> </code></pre> </div> <p>Add this module to your main terraform file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># main.tf</span> <span class="k">module</span> <span class="s2">"ssl_acm"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/acm"</span> <span class="nx">aws_route53_zone_id</span> <span class="p">=</span> <span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="p">}</span> </code></pre> </div> <p>And now we have ACM certificate ready to be used in API Gateway. Let's ensure everything is correct by running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init terraform apply <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Destroying Infra </h2> <p>Remember, infra has costs. When you are done experimenting, you can destroy the infra like follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Next Steps </h2> <p>With the SSL certificate provisioned, you can now integrate it with your AWS services. In the next guides, we will demonstrate how to use this certificate with API Gateway and Application Load Balancer for SSL termination. Feel free to skip to the relevant section based on your architecture needs.</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-ssl-termination-for-web-application-2ll8">SSL Termination Overview</a> | <strong>Next:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-api-gateway-and-connecting-it-to-ec-2-instance-using-terraform-48ib">API Gateway SSL Termination</a></p> aws security terraform tutorial Viktor Vasylkovskyi Wed, 06 May 2026 15:53:30 +0000 https://dev.to/vvasylkovskyi/provisioning-ssl-termination-for-web-application-2ll8 https://dev.to/vvasylkovskyi/provisioning-ssl-termination-for-web-application-2ll8 <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-ec2-instances-with-terraform-modules-best-practices-guide-e04">Terraform Modules Best Practices</a></p> <p>SSL termination is one of those steps that feels small but shapes your entire architecture. It is a common pattern to offload the SSL termination off your application, and instead make other cloud resource act as an SSL proxy. There are several ways to do it in AWS, and each comes with its own trade-offs. The “right” choice depends less on preference and more on the kind of traffic you're serving. In cloud, three resources can act as SSL termination: Load Balancer, a Content Delivery Network Origin, or an API Gateway.</p> <p>If you're building a pure REST API, <a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html" rel="noopener noreferrer">AWS API Gateway</a> is usually the simplest path. It handles SSL for you, integrates cleanly with Lambda or EC2, and keeps the moving parts to a minimum. The catch? It isn't great for serving frontend assets - you'll quickly notice limitations around caching and file delivery.</p> <p>Then there's the <a href="https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html" rel="noopener noreferrer">Application Load Balancer</a>. It works for both APIs and web apps, gives you full control, and is the most “production-ready” option. But it comes with overhead: more infrastructure, higher cost, and the expectation that you’ll eventually run multiple EC2 instances across multiple availability zones. ALB shines when your system is growing, but it's definitely not the lightest way to get started.</p> <p>This section walks through all three approaches. We will start with API Gateway for pure APIs and finally ALB for production-grade systems. By the end, you'll have a clear picture of how SSL termination fits into different architectures and which option makes sense for your next project.</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-ec2-instances-with-terraform-modules-best-practices-guide-e04">Terraform Modules Best Practices</a> | <strong>Next:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-ssl-certificate-109a">Provision SSL Certificate</a></p> architecture aws networking security Viktor Vasylkovskyi Wed, 06 May 2026 15:52:59 +0000 https://dev.to/vvasylkovskyi/provisioning-ec2-instances-with-terraform-modules-best-practices-guide-e04 https://dev.to/vvasylkovskyi/provisioning-ec2-instances-with-terraform-modules-best-practices-guide-e04 <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provision-dns-records-with-terraform-2oja">Provision DNS Records with Terraform</a></p> <p>In this notes, we are going to learn how to organise terraform code using best practices like terraform modules. For the sake of simplicity we will reduce the code to the very basic example. An interesting side-effect is by modularizing our code, we can easily create multiple environments like dev and prod, which we will see later.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fakjgwvdgrkrpxq9ij739.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fakjgwvdgrkrpxq9ij739.png" alt=" " width="800" height="321"></a></p> <h2> Github Repository </h2> <p>This guide full code is available in <a href="https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v3-terraform-modules" rel="noopener noreferrer">https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v3-terraform-modules</a>. Feel free to clone it and follow along!</p> <h2> Creating Terraform Modules </h2> <p>Modularizing Terraform means splitting our infrastructure code into reusable, logical components called modules. This improves maintainability, reusability, and clarity, especially as our infrastructure grows.</p> <p>The best practices are separation of concerns, using inputs and outputs for modules. There are <code>Root Module</code> and <code>Child Modules</code>, where root module is the directory where the terraform commands are meant to run, and child modules are the ones that contain reusable code.</p> <p>We will create 3 modules: <code>network</code>, <code>ec2</code> and <code>dns</code>.</p> <p>The overall folder structure should look like follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>. ├── modules/ │ ├── network │ │ ├── main.tf │ │ ├── variables.tf │ │ └── outputs.tf │ ├── ec2 │ │ ├── main.tf │ │ ├── variables.tf │ │ └── outputs.tf │ ├── dns │ │ ├── main.tf │ │ ├── variables.tf │ │ └── outputs.tf ├── main.tf ├── variables.tf ├── outputs.tf └── terraform.tfvars </code></pre> </div> <h3> Module: network </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_cidr</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">availability_zone</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_internet_gateway"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"subnet-association"</span> <span class="p">{</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p><strong>Variables:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># variables.tf</span> <span class="nx">variable</span> <span class="s2">"vpc_cidr"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_cidr"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"availability_zone"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p><strong>Outputs:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"subnet_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h3> Module: ec2 </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Security Group for EC2 Instance"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_key_pair"</span> <span class="s2">"ssh-key"</span> <span class="p">{</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="s2">"ssh-key"</span> <span class="nx">public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">availability_zone</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">associate_public_ip_address</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_id</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="nx">aws_key_pair</span><span class="p">.</span><span class="nx">ssh-key</span><span class="p">.</span><span class="nx">key_name</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_eip"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">instance</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span> <span class="nx">domain</span> <span class="p">=</span> <span class="s2">"vpc"</span> <span class="p">}</span> </code></pre> </div> <p>We will also add security group next to our EC2 module to allow SSH and HTTP access.</p> <p><strong>Variables:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># variables.tf</span> <span class="nx">variable</span> <span class="s2">"instance_ami"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"availability_zone"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"ssh_public_key"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p><strong>Outputs:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"instance_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"public_ip"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">public_ip</span> <span class="p">}</span> </code></pre> </div> <h3> Using modules - route module </h3> <p>The root modules will reference the children modules and assign the variables.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">shared_credentials_files</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"./.aws-credentials"</span><span class="p">]</span> <span class="nx">profile</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/network"</span> <span class="nx">vpc_cidr</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">subnet_cidr</span> <span class="p">=</span> <span class="s2">"10.0.1.0/24"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">availability_zone</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"security_group"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/security_group"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"ec2"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/ec2"</span> <span class="nx">instance_ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_ami</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">availability_zone</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">subnet_id</span> <span class="nx">ssh_public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="p">}</span> </code></pre> </div> <p>And the outputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># outputs.tf</span> <span class="nx">output</span> <span class="s2">"ec2_ip_address"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">public_ip</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Elastic IP address allocated to the EC2 instance."</span> <span class="p">}</span> </code></pre> </div> <h2> Install modules and apply </h2> <p>The modules have to be installed, so we need to run <code>terraform init</code> first. After that run <code>terraform apply --auto-approve</code> to see that everything works ok. You should see something like this on terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> Apply <span class="nb">complete</span><span class="o">!</span> Resources: 3 added, 0 changed, 0 destroyed. Outputs: ec2_ip_address <span class="o">=</span> <span class="s2">"your-ip"</span> </code></pre> </div> <h2> Adding DNS module pointing to our instance and a simple HTTP server </h2> <p>Now to make things interesting, we will create a simple web server and two environments - dev and prod. A common requirement for web applications.</p> <p>To accomplish that, we need to create:</p> <ul> <li>DNS module</li> <li>Update EC-2 Module to launch HTTP server</li> <li>Make dev and prod environments</li> </ul> <h3> DNS Module </h3> <p>Similarly, we will create the <code>module</code> called <code>dns</code> with 3 files in it - main, variables, outputs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"www"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">main_zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">domain_name</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">ttl</span> <span class="p">=</span> <span class="mi">60</span> <span class="nx">records</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">dns_record</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># variables.tf</span> <span class="nx">variable</span> <span class="s2">"main_zone_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"domain_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"dns_record"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># outputs.tf</span> <span class="nx">output</span> <span class="s2">"dns_record"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_route53_record</span><span class="p">.</span><span class="nx">www</span><span class="p">.</span><span class="nx">fqdn</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The FQDN of the www Route53 record"</span> <span class="p">}</span> </code></pre> </div> <p>We will leave <code>outputs.tf</code> black for now.</p> <p>Now in our <code>route53.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># route53.tf</span> <span class="nx">resource</span> <span class="s2">"aws_route53_zone"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"viktorvasylkovskyi.com"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"aws_route53_record"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/dns"</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">domain_name</span> <span class="nx">main_zone_id</span> <span class="p">=</span> <span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">dns_record</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">public_ip</span> <span class="p">}</span> </code></pre> </div> <p>Note, the <code>domain_name</code> is your domain name that you should own. Declare this variable in your <code>variables.tf</code> in the root module, and define it in <code>terraform.tfvars</code>.</p> <h3> Updating our EC-2 to start HTTP server </h3> <p>Now, let's update our <code>ec2</code> module in <code>main.tf</code>. We are going to add a <code>user_data</code> that will instantiate a simple http server on the startup of the machine. Add the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ec2.main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="p">...</span> <span class="nx">your</span> <span class="nx">instance</span> <span class="nx">previous</span> <span class="nx">code</span> <span class="p">...</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> #!/bin/bash sudo yum update -y || sudo apt-get update -y sudo yum install -y python3 || sudo apt-get install -y python3 echo "&lt;html&gt;&lt;body&gt;&lt;h1&gt;Hello from Terraform EC2!&lt;/h1&gt;&lt;/body&gt;&lt;/html&gt;" &gt; index.html nohup python3 -m http.server 80 &amp; </span><span class="no"> EOF </span><span class="p">}</span> </code></pre> </div> <h3> Adding outputs </h3> <p>Add outputs at the root module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># outputs.tf</span> <span class="nx">output</span> <span class="s2">"ec2_domain_name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">aws_route53_record</span><span class="p">.</span><span class="nx">dns_record</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Elastic IP address allocated to the EC2 instance."</span> <span class="p">}</span> </code></pre> </div> <h3> Apply changes </h3> <p>Run <code>terraform init</code> and <code>terraform apply --auto-approve</code> and see your server working. You should be able to open browser at <code>var.domain_name</code>.</p> <h2> Destroying Infra </h2> <p>Remember, infra has costs. When you are done experimenting, you can destroy the infra like follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Conclusion </h2> <p>By modularizing our Terraform code, we make our infrastructure more organized, reusable, and easier to maintain. This approach not only saves time as our projects grow, but also helps us avoid duplication and mistakes. With modules, scaling and evolving your infrastructure becomes a much smoother process.<br> Next we are going to focus on security, and more importantly, the SSL termination for our web applications.</p> <h2> Appendix </h2> <p>(Note, the following is optional. The following guides assume you do not follow this in the code, for simplicity sake.)</p> <h2> Adding dev and production environments </h2> <p>The great thing about modules is that we can reuse them. Let's reuse them in two environments: prod and dev. We need to refactor our code such that we have new folder structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>environments/ dev/ main.tf terraform.tfvars variables.tf prod/ main.tf terraform.tfvars variables.tf modules/ </code></pre> </div> <p>Note, since our environments will be pretty much the same, the <code>terraform.tfvars</code> are going to drive the change of the environments.</p> <p>Example of the <code>terraform.tfvars</code> in <code>dev</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">availability_zone</span> <span class="err">=</span> <span class="s2">"us-east-1a"</span> <span class="nx">instance_ami</span> <span class="err">=</span> <span class="s2">"ami-xxxx"</span> <span class="nx">instance_type</span> <span class="err">=</span> <span class="s2">"t2.micro"</span> <span class="nx">domain_name</span> <span class="err">=</span> <span class="s2">"dev.example.com"</span> </code></pre> </div> <p>and in <code>prod</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">availability_zone</span> <span class="err">=</span> <span class="s2">"us-east-1b"</span> <span class="nx">instance_ami</span> <span class="err">=</span> <span class="s2">"ami-yyyy"</span> <span class="nx">instance_type</span> <span class="err">=</span> <span class="s2">"t3.medium"</span> <span class="nx">domain_name</span> <span class="err">=</span> <span class="s2">"prod.example.com"</span> </code></pre> </div> <p>Now, you can apply.</p> <h2> Applying multiple environments </h2> <p>You can apply both environments using <code>terraform apply</code>. Just jump into the folder and run apply.</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/provision-dns-records-with-terraform-2oja">Provision DNS Records with Terraform</a> | <strong>Next:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-ssl-termination-for-web-application-2ll8">SSL Termination Overview</a></p> terraform aws learning infrastructure Viktor Vasylkovskyi Wed, 06 May 2026 15:52:00 +0000 https://dev.to/vvasylkovskyi/provision-dns-records-with-terraform-2oja https://dev.to/vvasylkovskyi/provision-dns-records-with-terraform-2oja <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/deploying-ec2-instance-on-aws-with-terraform-2h00">Deploying EC2 instance with Terraform</a></p> <p>In the previous notes we talked about how to setup the ec2 instance inside of the VPC on the subnet. We managed to access to this instance via SSH by providing ssh key in security groups. If you haven't read about it, fear not, you can still go back and read it: <a href="https://dev.to/vvasylkovskyi/deploying-ec2-instance-on-aws-with-terraform-2h00">Deploying EC2 instance on AWS with Terraform</a>.</p> <p>All is fine and dandy until now, but when we want to run a real application, we want to expose it on HTTP (and later HTTPS). In this note, I will walk you through how to do it using terraform. In practice, we will spawn a simple http server on our ec2 instance, and provide <code>Route53</code> DNS records (diagram below).</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsnh4deqb203uvcim0it0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsnh4deqb203uvcim0it0.png" alt=" " width="800" height="520"></a></p> <p>When adding DNS, we will be able to access our application not via IP address like<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>http://52.206.93.210/ </code></pre> </div> <p>but via actual domain that you own like<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>http://www.your-domain.com </code></pre> </div> <p>Let's dive in!</p> <h2> Github Repository </h2> <p>This guide full code is available in <a href="https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v2-ec2-http" rel="noopener noreferrer">https://github.com/IaC-Toolbox/iac-toolbox-project/tree/main/v2-ec2-http</a>. Feel free to clone it and follow along!</p> <h2> Spawn HTTP server on ec2 instance </h2> <p>in your <code>ec2.tf</code> add the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="p">...</span> <span class="nx">your</span> <span class="nx">instance</span> <span class="nx">previous</span> <span class="nx">code</span> <span class="p">...</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> #!/bin/bash sudo yum update -y || sudo apt-get update -y sudo yum install -y python3 || sudo apt-get install -y python3 echo "&lt;html&gt;&lt;body&gt;&lt;h1&gt;Hello from Terraform EC2!&lt;/h1&gt;&lt;/body&gt;&lt;/html&gt;" &gt; index.html nohup python3 -m http.server 80 &amp; </span><span class="no"> EOF </span><span class="p">}</span> </code></pre> </div> <p>In <code>outputs.tf</code> ensure you have the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">output</span> <span class="s2">"ec2_ip_address"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">public_ip</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The Elastic IP address allocated to the EC2 instance."</span> <span class="p">}</span> </code></pre> </div> <p>The <code>user_data</code> is a cool utility in aws that allows us to bake in ec2 some bootstrap code. In this example we start a server using python that is a simple <code>&lt;html&gt;&lt;body&gt;&lt;h1&gt;Hello from Terraform EC2!&lt;/h1&gt;&lt;/body&gt;&lt;/html&gt;</code> static page.</p> <h3> Add HTTP rule to security group </h3> <p>In <code>security-groups.tf</code> ensure that you have the following rule to allow HTTP access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"my_app"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="c1"># ... other rules ...</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"0.0.0.0/0"</span> <span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="c1"># ... other rules ...</span> <span class="p">}</span> </code></pre> </div> <h3> Testing the setup </h3> <p>Run <code>terraform apply --auto-approve</code>.</p> <p>See the output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ec2_ip_address <span class="o">=</span> <span class="s2">"3.214.79.152"</span> <span class="c"># example output</span> </code></pre> </div> <p>Navigate to <code>ec2_ip_address</code> and see website opening</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0beiomgj5gr68etjaq88.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0beiomgj5gr68etjaq88.png" alt=" " width="800" height="153"></a></p> <h2> Adding Route53 records </h2> <p>Next step, to create DNS records we actually have to create a hosted zone first.</p> <h2> Prerequisite: Domain name </h2> <p>Before we proceed, ensure that you have a domain name registered. You can use any domain registrar of your choice (e.g., GoDaddy, Namecheap, Cloudflare, etc.). For this example, we'll use <code>your-domain.com</code>. Replace it with your actual domain name in the Terraform code.</p> <p>Run <code>terraform apply --auto-approve</code> and navigate to <a href="https://us-east-1.console.aws.amazon.com/route53/v2/hostedzones" rel="noopener noreferrer">Route 53 Hosted Zones</a> and confirm that your hosted zone was created.</p> <h3> Adding Route53 records </h3> <p>Lets begin our <code>route53.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># route53.tf</span> <span class="k">resource</span> <span class="s2">"aws_route53_zone"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"your-domain.com"</span> <span class="p">}</span> </code></pre> </div> <h3> Updating DNS Registrar </h3> <p>At this point, there is a manual step where we actually have to go to the web and click our way through. We need to ensure that our DNS registrar has namespaces of our hosted zone from route 53. You may be familiar with the process of updating NS records in your registrar.</p> <p>You may have purchased your domain from a registrar providers, in my case it is happens to be AWS. But there are many (e.g., GoDaddy, Namecheap, Cloudflare, etc.). So I leave you figure out how to find your DNS management in the registrar. Once you get there, next step is update the <code>NS</code> records to the ones that you have just created with the terraform in AWS.</p> <h3> Update DNS NameSpace records in your DNS registrar </h3> <p>The new Route53 zone that we created using terraform above can be found in the <a href="https://us-east-1.console.aws.amazon.com/route53/v2/hostedzones#" rel="noopener noreferrer">Hosted Zones</a>. Open the zone and find the <code>NS</code> records.</p> <p>Next step is to copy those <code>NS</code> records and add them one by one into DNS registrar of your choice (e.g. Cloudflare). These <code>NS</code> records essentially are addresses that will know how to find that DNS records of Route53.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9tw1qtlpkcfv5bpyo1gb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9tw1qtlpkcfv5bpyo1gb.png" alt=" " width="800" height="176"></a></p> <p>The general flow is:</p> <ol> <li>The user navigates to <code>www.your-domain.com</code> </li> <li>The <code>your-domain.com</code> registrar checks its <code>NS</code> records to find out where to look for DNS records.</li> <li>The registrar finds the <code>NS</code> records that point to Route53.</li> <li>The registrar queries Route53 for the DNS records of <code>www.your-domain.com</code>.</li> <li>Route53 responds with the IP address associated with <code>www.your-domain.com</code>.</li> </ol> <p>Therefore, it is a crucial step to update the <code>NS</code> records in your DNS registrar to point to the Route53 (AWS) name servers.</p> <h3> Add new DNS record </h3> <p>Once this is done we can proceed and add new DNS record using terraform:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># route53.tf</span> <span class="k">resource</span> <span class="s2">"aws_route53_zone"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"your-domain.com"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"www"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"www.your-domain.com"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">ttl</span> <span class="p">=</span> <span class="mi">60</span> <span class="nx">records</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_eip</span><span class="p">.</span><span class="nx">my_app</span><span class="p">.</span><span class="nx">public_ip</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Above we are creating a DNS record of type <code>A</code> which is a type that assigns DNS name to Ipv4 IP address. Note that in this example we are using <code>EIP</code> which are fixed IP, to avoid the issues with dynamic IP addresses. This way we make sure that even if the EC2 instance is restarted, and receives new private IP, we still keep same fixed public IP. Lets apply and test <code>terraform apply --auto-approve</code>.</p> <p><strong>Note</strong>, check if the name servers got applied. Sometimes it takes a while for your changes to take effect. You can check by running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dig +short NS your-domain.com </code></pre> </div> <p>In the output, you should see the name servers that you have added in your DNS registrar. If they are not correct, wait a bit longer, you should receive the following error in browser <code>DNS_PROBE_FINISHED_NXDOMAIN</code> which indicates that the DNS records are not yet propagated.</p> <p>Once they are correct, your DNS should be applied. Visit <code>http://www.your-domain.com</code> and see it showing our demo app!</p> <h2> Destroying Infra </h2> <p>Remember, infra has costs. When you are done experimenting, you can destroy the infra like follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy <span class="nt">--auto-approve</span> </code></pre> </div> <h2> Conclusion </h2> <p>And that is a wrap! Now we have the DNS records pointing to our Ec2 instance. Next, let's explore about how to add SSL to this domain and enable HTTPS. But before that, let's organize our code a little. Continue reading!</p> <p><strong>Previous:</strong> <a href="https://dev.to/vvasylkovskyi/deploying-ec2-instance-on-aws-with-terraform-2h00">Deploying EC2 instance with Terraform</a> | <strong>Next:</strong> <a href="https://dev.to/vvasylkovskyi/provisioning-ec2-instances-with-terraform-modules-best-practices-guide-e04">Terraform Modules Best Practices</a></p> aws devops networking terraform