DEV Community

Cover image for Building Production-Ready AWS Three-Tier Architecture with Terraform and GitOps
Renato Mendoza
Renato Mendoza

Posted on

Building Production-Ready AWS Three-Tier Architecture with Terraform and GitOps

#architecture #aws #terraform #devops

Modern web applications demand scalable, secure, and maintainable infrastructure. This project demonstrates how to deploy a complete three-tier architecture on AWS using Terraform with professional CI/CD workflows.

What You'll Build

A production-ready architecture featuring:

  • Web Tier: Application Load Balancer with SSL termination and Auto Scaling Groups
  • Application Tier: EC2 instances running PHP web application in private subnets
  • Database Tier: RDS MySQL with Multi-AZ support and encrypted storage

Key Features

πŸ”’ Security First

  • Private subnets for application and database tiers
  • AWS Secrets Manager integration for database credentials
  • OIDC authentication (no long-term AWS keys)
  • Security groups with least-privilege access

πŸš€ GitOps Workflow

  • Environment-specific branches (env/dev, env/staging, env/prod)
  • Automated Terraform validation and planning on PRs
  • Manual approval gates for production deployments
  • Safe destroy workflows with confirmation requirements

πŸ“Š Infrastructure as Code

  • Modular Terraform design for reusability
  • Remote state management with S3 and DynamoDB
  • Environment-specific configurations
  • Comprehensive output values

Project Structure 

aws-three-tier-terraform-cicd/
β”œβ”€β”€ .github/workflows/
β”‚   └── terraform.yaml         # CI/CD pipeline
β”œβ”€β”€ docs/
β”‚   └── MANUAL_WORKFLOWS.md    # Manual workflow documentation
β”œβ”€β”€ infra/envs/
β”‚   β”œβ”€β”€ dev/                   # Development environment config
β”‚   β”‚   └── terraform.tfvars   # Dev-specific variables
β”‚   β”œβ”€β”€ staging/               # Staging environment config
β”‚   β”‚   └── terraform.tfvars   # Staging-specific variables
β”‚   β”œβ”€β”€ prod/                  # Production environment config
β”‚   β”‚   └── terraform.tfvars   # Production-specific variables
β”‚   β”œβ”€β”€ main.tf                # Main infrastructure configuration
β”‚   β”œβ”€β”€ variables.tf           # Input variables
β”‚   β”œβ”€β”€ locals.tf              # Local values
β”‚   └── versions.tf            # Terraform and provider versions
β”œβ”€β”€ modules/
β”‚   β”œβ”€β”€ application/           # Application tier module
β”‚   β”‚   β”œβ”€β”€ main.tf            # Application module implementation
β”‚   β”‚   β”œβ”€β”€ variables.tf       # Application module variables
β”‚   β”‚   └── outputs.tf         # Application module outputs
β”‚   └── network/               # Network tier module
β”‚       β”œβ”€β”€ main.tf            # Network module implementation
β”‚       β”œβ”€β”€ variables.tf       # Network module variables
β”‚       └── outputs.tf         # Network module outputs
└── scripts/                   # Helper scripts
Enter fullscreen mode Exit fullscreen mode

Quick Start

  1. Fork the repository and configure GitHub secrets: 
   DB_PASSWORD          # Database password
   AWS_ROLE_ARN         # OIDC role ARN
Enter fullscreen mode Exit fullscreen mode

For detailed instructions on setting up OIDC authentication and configuring the Terraform backend, see: one-click-aws-terraform-backend-gitops-oidc

  1. Set GitHub variables: 
   AWS_REGION           # Target AWS region
   TF_BACKEND_*         # Terraform backend config
Enter fullscreen mode Exit fullscreen mode
  1. Configure environment by copying terraform.tfvars.example: 
   region = "us-west-2"
   env_name = "dev"
   certificate_arn = "arn:aws:acm:..."
   domain_name = "yourdomain.com"
Enter fullscreen mode Exit fullscreen mode
  1. Deploy using GitOps:
    • Create PR to environment branches β†’ Terraform format check, validation, and plan
    • Merge to env/dev β†’ Deploy to development
    • Merge to env/staging β†’ Deploy to staging
    • Merge to env/prod β†’ Deploy to production (with manual approval)

CI/CD Pipeline Highlights

The GitHub Actions workflow provides:

  • Automated Planning: Terraform plans run on every PR with results commented
  • Environment Isolation: Separate workspaces for dev/staging/prod
  • Security Gates: Manual approval required for production changes
  • Safe Destruction: Multi-step confirmation for infrastructure teardown

Database Security

Credentials are handled through multiple security layers:

  1. GitHub Secrets store the master password
  2. AWS Secrets Manager receives the password via CI/CD
  3. IAM Roles allow EC2 instances to retrieve credentials
  4. No Hardcoding - passwords never appear in code or state

Production Considerations

  • Configure DNS manually (project doesn't create Route53 records)
  • Enable VPC Flow Logs for network monitoring
  • Use remote state backend for team collaboration

Why This Approach Works

This architecture pattern provides:

  • Scalability: Auto Scaling Groups handle traffic spikes
  • Security: Multi-layered security with private networking
  • Reliability: Multi-AZ deployment with load balancing
  • Maintainability: Modular Terraform with GitOps workflows
  • Cost Efficiency: Environment-specific scaling configurations

Ready to deploy enterprise-grade infrastructure? Check out the full repository for complete implementation details.

Top comments (0)