AWS-LAB

This aim of this project is to provision a complete AWS infrastructure with CD/CD pipeline with a RDS instance and to deploy on that infrastructure a web application that is micro-serviced and has SSL certifictates using terraform.

---

Step 1 - Route53 + AWS Certificate Manager

Creation of the Domain and SSL certs.

The first and mostly manual step will be to create a domain name with aws Route53. After the creation of the new domain name, AWS will provide a hosted zone for the domain, after which you will need to create a new SSL certificate with ACM, next would need to register the new ACM into the domains Route53 records and validate it.

*Note that the process is documented in the acm.tf file of the terraform config

Step 2 - Creation of the VPC and the network components

Creation of the VPC configuration and registering the ALB to the Route53 Records

The VPC configuration consists of two public subnets that will run an ALB on both of them and a NAT gateway(I used one but two are recomended for HA) and an internet gateway, so the VPC would be able to connect to the WWW.

ALB - Will allow us to access specific microservices that are deployed on the private subnets.

NAT gateway - The private subnets will connect to it and be able to sent requests to the WWW to dependencies etc....

This step consists of configuring a few conponents:

1. ALB
2. IGW
3. NAT gateway
4. NAT elastic ip
5. 2 public subnets
6. 2 private subnets
7. Route table for the public subnets
8. Route table for the private subnets
9. Relevant associations of the routing tables to the subnets

The more straightforward configurtion of components 2-9 is in the main.tf

ALB configuration

After configuring step 1 we will create the ALB component and create the following componets as well:

1. ALB Target gorups - A component that is used to route requests to one or more registered targets, such as EC2,ECS instances, based on specific rules and conditions.

2. ALB listeners - Checks for incoming connection requests from clients using the specified protocol and port

During the configuration of the ALB listeners, to attach the SSL certs we need to configure it with an SSL policy and them give it the relevant SSL cert of the created domain from step 1.

• Note create a redicrection from port 80 to port 443 in the ALB listeners

Creation of the target and their port will be able to redirect trafic to our ECS instances that we will create later.

After configuring the ALB we will add its DNS name into an A record in Route53 records so we will be able to acces our vpc with SSL certs and by typing our domain name in the browsers.

*Note that the process is documented in the main.tf, alb.tf,acm.tf file of the terraform config

Step 3 - Creation of the DB

Creation of the RDS is pretty straight forward, specify the login credentials and the type of instance you want, specify the subnets it will run on as a subnet group and lastly create security group for the RDS instance.

*Note that the process is documented in the db.tf, securitygroup.tf file of the terraform config

Step 4 - Creation of ECS instance

Creation on the ECS cluster with fargate

• Note that I have created a process that clones the lastest version of the frotend and backend from github, then creates docker images from them and pushes them into ECR for later uss to configure the ECS cluster.

  1. Firstly configure the ECS cluster component
  2. Create two Tasks, one for the backend and one for the frontend service with the appropriate container definitions, note that it is important to inculde the healthcheck ability of the container, eanbling logs is optional but recommended.
  3. Create two services, one for the frontend task and one for the backend task, in which you ought to configure the ALB target groups to the services and to attach the relevant security groups and the subnets they will run on.
  4. Next configure the ALB listener for the backend service to block all communication exept the frontend.
  5. configure security groups for the DB and for the ALB so the ECS components can "talk" to them.
  • Note configuring the ALB healthcheck path and the container healthcheck is important because if they both wont be able to pull the liveness of the container, the ECS agent after some time will destory the container and will redeploy it in an endless cycle, because it thinks that container cant start, even though the microservice inisde runs fine. The problem with the cluster reprovisioning the ECS service in endless cycle is bad beacuse it pull image from the ECR each time, and that costs money money per pull :( also it impacts the CI/CD pipeline by wating for timeout of te deployment because the contaier cant reach ready state.

*Note that the process is documented in the ecs.tf, alb.tf,ecs.tf,securitygroup.tf file of the terraform config

Step 5 - Creation of CI/CD pipeline with CodePipeLine

Creation on CodePipeLine with CodeBuild project and github webhook and redeployment on the appropriate services

This step requires creation of the following components for each pipeline:

1. CodePipeLine
2. Codebuild
3. AWS webhook
4. Github webhook url register
5. S3 bucket

For each pipeline you would configure the general skeleton of the CodePipeLine, next you would want to configure the github webhook with the two components(3,4) to the relevant branch. After that you will create a Codebuild project that will get the github clone resources, create an artifact from in and dockerize then push it into ECR with each github push trigger. Then lastly the image will be redeployed on the appropriate container/service on the ECS cluster (note that which image and which container is specified in the imagedefinitions.json).