Create a Secure Web Portal
PROBLEM STATEMENT :
Statement: We have to create a web portal for our company with all the security as much as possible.
So, we use WordPress software with dedicated database server.
Database should not be accessible from the outside world for security purposes.
We only need to public the WordPress to clients.
Don't forgot to add auto IP assign.
So here are the steps for proper understanding!
Steps:
1) Write a Infrastructure as code using terraform, which automatically create a VPC.
2) In that VPC we have to create 2 subnets :
a) public subnet [ Accessible for Public World! ]
b) private subnet [ Restricted for Public World! ]
3) Create a public facing internet gateway for connecting our VPC/Network to the internet world and attach this gateway to our VPC.
4) Create a routing table for Internet gateway so that instance can connect to outside world, update and associate it with public subnet.
5) Launch an EC2 instance which has WordPress setup already having the security group allowing port 80 so that our client can connect to our WordPress site.
Also attach the key to instance for further login into it.
6) Launch an EC2 instance which has MYSQL setup already with security group allowing port 3306 in private subnet so that our WordPress VM can connect with the same.
Also attach the key with the same.
Prerequisites:
1) We need to have an account on AWS.
2) AWS CLI program should be downloaded and configured.
DETAILED STEPS :
☁ 1.Create provider for terraform - provider is that cloud that terraform contact for launching the resources.
provider "aws" {
profile = "Admin"
region = "ap-south-1"
}
☁ Start by creating a VPC.
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.
You can easily customize the network configuration of your Amazon VPC. For example, you can create a public-facing subnet for your web servers that have access to the internet. You can also place your backend systems, such as databases or application servers, in a private-facing subnet with no internet access. You can use multiple layers of security, including security groups and network access control lists (NACL) , to help control access to Amazon EC2 instances in each subnet.
provider "aws" {
profile = "Admin"
region = "ap-south-1"
}
resource "aws_vpc" "main" {
cidr_block = "192.168.0.0/16"
}
☁ Continue with creating the private and public subnets
As mentioned before the private subnet will be used for the database (MYSQL) and the public subnet will be used for the WordPress so that it can be accessed by the clients.
resource "aws_subnet" "public_subnet" {
vpc_id = "${aws_vpc.main.id}"
cidr_block = "192.168.1.0/24"
map_public_ip_on_launch = true
tags = {
Name = "public_subnet"
}
}
resource "aws_subnet" "private_subnet" {
vpc_id = "${aws_vpc.main.id}"
cidr_block = "192.168.2.0/24"
tags = {
Name = "private_subnet"
}
}
The cidr_block mentioned in subnets and VPC can be given by our choice but they should be in the correct range.
If you want your instance in a public subnet to communicate with the internet over IPv4, it must have a public IPv4 address or an Elastic IP address (IPv4)
☁ If a subnet's traffic is routed to an internet gateway, the subnet is known as public subnet.
So now we will create an internet gateway and a route table and attach them to the private subnet.
resource "aws_internet_gateway" "internet_gateway" {
vpc_id = "${aws_vpc.main.id}"
}
An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.
An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.
resource "aws_route_table" "route_table" {
vpc_id = "${aws_vpc.main.id}"
route {
cidr_block = "0.0.0.0/0"
gateway_id = "${aws_internet_gateway.internet_gateway.id}"
}
tags = {
Name = "public_subnet"
}
}
resource "aws_route_table_association" "route_table_associate" {
subnet_id = "${aws_subnet.public_subnet.id}"
route_table_id = "${aws_route_table.route_table.id}"
}
A route table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed.
Route table association—The association between a route table and a subnet, internet gateway, or virtual private gateway.
☁ If a subnet doesn't have a route to the internet gateway, the subnet is known as a private subnet. And hence we will not create them for the private subnet.
☁ Now before launching the the instances in the subnet we have created, create the key-pair and security groups for them.
Key-pair :
variable "key_name" { default = "key2" }
resource "tls_private_key" "example" {
algorithm = "RSA"
rsa_bits = 4096
}
resource "aws_key_pair" "generated_key" {
depends_on = [
tls_private_key.example
]
key_name = "${var.key_name}"
public_key = "${tls_private_key.example.public_key_openssh}"
}
Security group for wordpress :
resource "aws_security_group" "wordpress_sg" {
name = "wordpress_sg"
description = "Allow TLS inbound traffic"
vpc_id = "${aws_vpc.main.id}"
ingress {
description = "IMCP"
from_port = 0
to_port = 0
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "SSH"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "HTTP"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "wordpress_sg"
}
}
Security-group for MYSQl :
Since we want that only WordPress can contact the MYSQL database so in the rules of the security group for mysql we can specify the security group id of WordPress so that it allows only WordPress instance (or the instance with the security group mentioned) to access the database.
resource "aws_security_group" "MySQL_sg" {
name = "MySQL_sg"
description = "Allow TLS inbound traffic"
vpc_id = "${aws_vpc.main.id}"
tags = {
Name = "mysql_sg"
}
}
resource "aws_security_group_rule" "mysql_sg_rule_in" {
type = "ingress"
from_port = 3306
to_port = 3306
protocol = "tcp"
security_group_id = "${aws_security_group.MySQL_sg.id}"
source_security_group_id = "${aws_security_group.wordpress_sg.id}"
}
resource "aws_security_group_rule" "mysql_sg_rule_eg" {
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = "${aws_security_group.MySQL_sg.id}"
}
☁ Now create the instance for MYSQL first
The ami, used in my case for mysql is
resource "aws_instance" "mysql_instance" {
ami = "ami-0428a02584750600f"
instance_type = "t2.micro"
key_name = aws_key_pair.generated_key.key_name
vpc_security_group_ids = [ "${aws_security_group.MySQL_sg.id}" ]
subnet_id = "${aws_subnet.private_subnet.id}"
tags = {
Name = "mysql_instance"
}
}
☁ Lastly create instance for WordPress
Ami used :
resource "aws_instance" "wordpress_instance" {
ami = "ami-004a955bfb611bf13"
instance_type = "t2.micro"
key_name = aws_key_pair.generated_key.key_name
vpc_security_group_ids = [ "${aws_security_group.wordpress_sg.id}" ]
subnet_id = "${aws_subnet.public_subnet.id}"
tags = {
Name = "wordpress_instance"
}
}
☁ Now run : terraform init for installing the plugins required for running the code.
After this run : terraform apply --auto-approve , for running the code.
☁ After the code is successfully build , you can see the following outputs :
VPC created :
Internet Gateway :
Route Table :
Private subnet with default route table:
Public Subnet with the route table we created and auto public IP option enabled :
Key-Pair made:
Security-groups created :
Instance created:
☁ Use the public IP assigned to the WordPress instance to connect to the WordPress
At first you will not see the usual WordPress screen because we have uses Bitnami ami for launching it.
And we will have to login with username - user and have to extract the password
You cam get the password by going to the system logs of the instance, scroll a bit and you can find the password now use this to login into the WordPress, now you can create your own portal.
And hence our portal is made !!!!!
