TASK 3
STATEMENT:- We have to create a web portal for our company with all the security as much as possible. So, we use Wordpress software with dedicated database server. Database should not be accessible from the outside world for security purposes. We only need to public the WordPress to clients.
So here are the steps for proper understanding!
STEPS:-
- Write a Infrastructure as code using terraform, which automatically create a VPC.
- In that VPC we have to create 2 subnets:
a) public subnet [ Accessible for Public World! ]
b) private subnet [ Restricted for Public World! ]
- Create a public facing internet gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC.
- Create a routing table for Internet gateway so that instance can connect to outside world, update and associate it with public subnet.
- Launch an ec2 instance which has Wordpress setup already having the security group allowing port 80 so that our client can connect to our wordpress site. Also attach the key to instance for further login into it.
- Launch an ec2 instance which has MYSQL setup already with security group allowing port 3306 in private subnet so that our wordpress vm can connect with the same. Also attach the key with the same.
NOTE:- Wordpress instance has to be part of public subnet so that our client can connect our site. Mysql instance has to be part of private subnet so that outside world can't connect to it. Don't forgot to add auto ip assign and auto dns name assignment option to be enabled.
PRE-REQUISITES:-
- Account on AWS.
- IAM User with Admin Access.
- AWS CLI installed and configured.
- Terraform installed.
- Knowledge of AWS VPC, Security groups, Subnets, etc.
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.
You can easily customize the network configuration of your Amazon VPC. For example, you can create a public-facing subnet for your web servers that have access to the internet. You can also place your backend systems, such as databases or application servers, in a private-facing subnet with no internet access. You can use multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.
Let's Start:-
>> To start with terraform to create a complete Infrastructure, first we have to give aws credentials:
provider "aws" {
region = "ap-south-1"
profile = "ankita"
}
>> Now, creating VPC from CLI using terraform code:-
resource "aws_vpc" "myvpc" {
cidr_block = "192.168.0.0/16"
instance_tenancy = "default"
enable_dns_hostnames = "true"
tags = {
Name = "myvpc"
}
}
}
Output:-
Subnet:- A subnet, or subnetwork, is a segmented piece of a larger network. More specifically, subnets are a logical partition of an IP network into multiple, smaller network segments.
- Public Subnet:- A public subnet is a subnet that's associated with a route table that has a route to an internet gateway from where outside world can connect to the Subnet.
>> Creating Public Subnet using terraform:
resource "aws_subnet" "subnet1" {
vpc_id = aws_vpc.myvpc.id
cidr_block = "192.168.0.0/24"
availability_zone = "ap-south-1a"
map_public_ip_on_launch = "true"
tags = {
Name = "subnet1"
}
}
Here, map_public_ip_on_launch="true" is done to provide automatic Public IP address to instances.
- Private Subnet:- A private subnet is that where there is no association of subnet to the routing table. They don't know about the Internet Gateway, that's the reason no one can connect from outside world to this Subnet.
>> Creating Private Subnet using terraform:
resource "aws_subnet" "subnet2" {
vpc_id = aws_vpc.myvpc.id
cidr_block = "192.168.1.0/24"
availability_zone = "ap-south-1b"
tags = {
Name = "subnet2"
}
}
Output:-
Internet Gateway:- An internet gateway is an optional virtual router you can add to your VCN to enable direct connectivity to the internet. The gateway supports connections initiated from within the VCN (egress) and connections initiated from the internet (ingress).
>> Creating Internet Gateway using terraform:
resource "aws_internet_gateway" "gw" {
vpc_id = aws_vpc.myvpc.id
tags = {
Name = "mygw"
}
}
Output:-
Routing Table:- A route table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed.
>> Create Routing Table using terraform code:
resource "aws_route_table" "myroute" {
vpc_id = aws_vpc.myvpc.id
route {
gateway_id = aws_internet_gateway.gw.id
cidr_block = "0.0.0.0/0"
}
tags = {
Name = "myrt"
}
}
Output:-
Routing Table Association:- Provides a resource to create an association between a route table and a subnet or a route table and an internet gateway or virtual private gateway.
>> Create Routing Table Association using terraform code:
resource "aws_route_table_association" "sub_a" {
subnet_id = aws_subnet.subnet1.id
route_table_id = aws_route_table.myroute.id
}
Output:-
Security Groups:- A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC can be assigned to a different set of security groups.
>> Creation of WordPress Security Group using terraform:
resource "aws_security_group" "sg1" {
depends_on = [ aws_vpc.myvpc ]
name = "wpos_sg"
vpc_id = aws_vpc.myvpc.id
ingress {
description = "SSH"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0"]
}
ingress {
description = "HTTP"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0" ]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "wpos_sg"
}
}
>> Creation of Database Security Groups using terraform:
resource "aws_security_group" "sg2" {
depends_on = [ aws_vpc.myvpc ]
name = "mysql_sg"
vpc_id = aws_vpc.myvpc.id
ingress {
description = "MYSQL"
from_port = 3306
to_port = 3306
protocol = "tcp"
security_groups = [ aws_security_group.sg1.id ]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "mysql_sg"
}
}
Output:-
>> Creation of WordPress Instance with Public Subnet using terraform:
resource "aws_instance" "wordpress_os" {
ami = "ami-7e257211"
instance_type = "t2.micro"
subnet_id = aws_subnet.subnet1.id
vpc_security_group_ids = [ aws_security_group.sg1.id ]
key_name = "abc"
tags = {
Name = "wordpress"
}
}
>> Creation of Database with Private Subnet using terraform:
resource "aws_instance" "database" {
ami = "ami-0447a12f28fddb066"
instance_type = "t2.micro"
subnet_id = aws_subnet.subnet2.id
vpc_security_group_ids = [ aws_security_group.sg2.id ]
key_name = "abc"
tags = {
Name = "database"
}
}
Output:-
>> Creation of Provisioner to directly go to WordPress Web Browser.
resource "null_resource" "nulllocal1" {
depends_on = [
aws_instance.wordpress_os ,
aws_instance.database ,
]
provisioner "local-exec" {
command = "start firefox ${aws_instance.wordpress_os.public_ip}"
}
}
Output:-
Here we give the instance Id of wordpress which was launched with Public Subnet.
Final Result:-
>>We can destroy the complete infrastructure in one-click:
Thank You!!!
Github Link:-
ami not working