This project provisions cloud infrastructure using Terraform. It automates the setup of networking, IAM policies, S3, RDS, EC2 auto-scaling, load balancing, and integrates CloudWatch monitoring. It also handles secure credential storage using Secrets Manager and SSL certificate management using both ACM and imported certificates.
- Implement Infrastructure as Code (IaC)
- Set up KMS keys with 90-day rotation for EC2, RDS, S3, and Secrets Manager
- Encrypt sensitive data and integrate KMS into resource definitions
- Store RDS credentials securely using Secrets Manager
- Configure IAM roles for EC2, RDS, S3, and CloudWatch
- Create a secure and scalable auto-scaling web application stack
- Secure endpoints using HTTPS and SSL certificates
- Separate KMS keys are created for:
- EC2
- RDS
- S3 Buckets
- Secrets Manager (Database Password & Email Credentials)
- All KMS keys have automatic rotation enabled (90-day rotation).
- Resources (S3, RDS, Secrets, EC2 volumes) are encrypted using these keys.
- RDS database password is generated via Terraform and stored securely using Secrets Manager with a custom KMS key.
- Secret is retrieved in the EC2 user-data script at boot time for application configuration.
- Dev Environment: Uses ACM to issue and attach certificates to the ALB.
- Demo Environment:
- SSL cert is manually requested from Namecheap (or another provider).
- Cert is imported into AWS ACM using CLI.
- ALB uses the imported certificate for HTTPS.
aws acm import-certificate \
--certificate fileb://certificate.crt \
--private-key fileb://private.key \
--certificate-chain fileb://ca_bundle.crt \
--region us-east-1- VPC with public and private subnets
- Internet Gateway and route tables
- Roles for EC2, RDS, S3, CloudWatch
- Policies for resource access, logging, encryption, and secret access
- Private with encryption using KMS
- Lifecycle rule: transition to
STANDARD_IAafter 30 days - Versioning and force destroy enabled
- Encrypted with custom KMS key
- Subnet group: private subnets only
- Public access: Disabled
- Password stored in Secrets Manager
- Parameter group enforces SSL settings and max connections
- Launch Template with custom AMI
- Auto-retrieves DB password from Secrets Manager
- Logs sent to CloudWatch
- Minimum 3, Maximum 5 instances
- Scales based on CPU threshold
- ALB configured with listeners for:
- HTTP (80)
- HTTPS (443, with imported or ACM cert)
- Security group only allows inbound 80/443
- Instances only accept traffic from ALB
- DNS names:
dev.fetchme.me,demo.fetchme.me - Route53 alias records point to the ALB
- Run Unit Tests
- Validate Packer Templates
- Build Application Artifacts
- Build AMI in DEV account
- Upgrade OS and install system dependencies
- Install app dependencies and configure startup
- Share AMI with DEMO account
- Reconfigure GitHub AWS CLI to use DEMO credentials
- Create a new Launch Template version
- Update ASG to use new Launch Template
- Trigger ASG Instance Refresh
- Wait for refresh to complete (GitHub Actions workflow status matches refresh status)
- Terraform
- AWS CLI with IAM credentials (set via env or GitHub Secrets)
terraform init
terraform validate
terraform plan
terraform apply -auto-approveterraform destroy -auto-approve- API Call Count and Latency
- DB Query Time
- S3 Interaction Time
- System Metrics (CPU, Memory, Disk)
- App logs forwarded via CloudWatch Agent
- Logs include
INFO,WARN,ERROR, and stack traces
INFO: Health check passed
INFO: File uploaded: uploads/img.jpg
INFO: DB query time: 20ms
INFO: S3 response time: 35ms- Use encrypted resources with KMS
- Never expose EC2 instances directly to the internet
- Use Secrets Manager + KMS for secure credentials
- Automate everything with CI/CD
- Use HTTPS (with ACM or imported SSL) for all external access