module-infra

Modular Terraform infrastructure for AWS - a production-ready template for deploying containerized applications with networking, database, secrets management, and DNS.

Overview

This repository provides a complete AWS infrastructure setup using Terraform with a modular architecture. It's designed to deploy containerized applications on ECS with supporting services including RDS databases, VPC networking, secrets management, and Route53 DNS configuration.

Architecture

The infrastructure consists of the following modules:

• Networking - VPC with public/private subnets, NAT gateway, Internet Gateway, and VPC endpoints (S3, ECR, SSM, CloudWatch, Secrets Manager)
• Backend (ECS) - ECR repository, ECS cluster, task definitions, Fargate services, and Application Load Balancer with HTTPS
• RDS - Managed PostgreSQL or MySQL database instances with automated backups
• Secrets Manager - Secure storage and retrieval of sensitive configuration (API keys, database passwords, JWT secrets)
• Route53 - DNS hosted zones and records for custom domain configuration

Project Structure

.
├── main.tf              # Main configuration and module composition
├── variables.tf         # Input variables
├── outputs.tf           # Output values
├── provider.tf          # AWS provider configuration
├── backend.tf           # Terraform state backend configuration
├── terraform.tfvars     # Variable values (gitignored - create your own)
└── modules/
    ├── networking/      # VPC, subnets, gateways, endpoints
    ├── backend/         # ECS, ECR, ALB, task definitions
    ├── rds/             # RDS database instances
    ├── secretsmanager/  # Secrets Manager resources
    └── route53/         # DNS hosted zones and records

Prerequisites

• Terraform >= 1.0
• AWS CLI configured with appropriate credentials
• An AWS account with necessary permissions
• (Optional) A registered domain name for Route53 configuration
• (Optional) An ACM certificate ARN for HTTPS on the load balancer

Getting Started

1. Clone the repository

   git clone <repository-url>
   cd module-infra

2. Create your terraform.tfvars file

   project_name = "myapp"
   environment  = "dev"
   region       = "us-east-1"
   
   vpc_cidr_block = "10.0.0.0/16"
   
   # ECS Configuration
   task_cpu              = 512
   task_memory           = 1024
   service_desired_count = 2
   
   # Certificate for HTTPS (create in ACM first)
   certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/..."
   
   # Domain configuration
   domain_name = "example.com"
   
   # Application secrets
   application_secrets = {
     "app/database/password" = {
       description = "Database password"
       value       = "your-secure-password"
     }
     "app/api/key" = {
       description = "API key"
       value       = "your-api-key"
     }
     "app/jwt/signing-key" = {
       description = "JWT signing key"
       value       = "your-jwt-secret"
     }
   }

3. Initialize Terraform

   terraform init

4. Review the execution plan

   terraform plan

5. Apply the infrastructure

   terraform apply

Module Usage

Networking Module

Creates a VPC with public and private subnets across multiple availability zones, NAT gateway for outbound internet access from private subnets, and VPC endpoints for AWS services.

Backend Module

Deploys a containerized application on ECS Fargate with:

• ECR repository for container images
• ECS cluster and service with auto-scaling capabilities
• Application Load Balancer with HTTPS support
• IAM roles and security groups
• Environment variables and secrets injection

RDS Module

Provisions a managed database instance with:

• Support for PostgreSQL and MySQL engines
• Automated backups and maintenance windows
• Deployment in private subnets
• Security group configuration
• Password stored in Secrets Manager

Secrets Manager Module

Manages application secrets securely:

• Creates secrets from the application_secrets variable
• Optional KMS encryption
• Accessible by ECS tasks via IAM policies

Route53 Module

Handles DNS configuration:

• Creates hosted zones (public or private)
• Manages DNS records
• Supports alias records for ALB integration

Environment Variables

The ECS tasks are configured with the following environment variables (see main.tf:83-108):

• NODE_ENV - Environment name
• DB_HOST - RDS hostname
• DB_PORT - RDS port
• DB_ENDPOINT - RDS endpoint (host:port)
• DB_NAME - Database name
• DB_USER - Database username

And secrets injected from Secrets Manager:

• DB_PASSWORD - Database password
• API_KEY - API key
• JWT_SECRET - JWT signing key

Outputs

After successful deployment, Terraform will output important values such as:

• VPC ID and subnet IDs
• Load balancer DNS name
• ECR repository URL
• RDS endpoint
• Route53 name servers

Security Considerations

• All sensitive values should be stored in terraform.tfvars (which is gitignored)
• Database is deployed in private subnets with no public access
• Secrets are stored in AWS Secrets Manager with encryption
• Security groups follow the principle of least privilege
• HTTPS is enforced on the load balancer (requires ACM certificate)

Customization

Each module accepts various configuration options. Refer to the variables.tf file in each module directory for available parameters. Common customizations include:

• VPC CIDR blocks and subnet configurations
• Database engine, version, and instance size
• ECS task CPU and memory allocation
• Number of ECS service replicas
• Health check endpoints and intervals

Clean Up

To destroy all resources:

terraform destroy

Warning: This will delete all infrastructure including databases. Ensure you have backups if needed.

Contributing

This is a template repository. Submit a PR if you wish to contribute.

License

This project is provided as-is for infrastructure deployment purposes.