Highly Secure Wordpress-MySQL Automation using AWS & Terraform

What is Cloud Automation?

Cloud automation is a broad term that refers to the processes and tools an organization uses to reduce the manual efforts associated with provisioning and managing cloud computing workloads. IT teams can apply cloud automation to private, public and hybrid cloud environments. Cloud automation enables IT teams and developers to create, modify, and tear down resources on the cloud automatically.

What is Terraform?

Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently. Terraform can manage existing and popular service providers as well as custom in-house solutions. The infrastructure Terraform can manage includes low-level components such as compute instances, storage, and networking, as well as high-level components such as DNS entries, SaaS features, etc.

What is VPC?

Amazon VPC is the networking layer for Amazon EC2.

The following are the key concepts for VPCs:

  • Virtual private cloud (VPC) — A virtual network dedicated to your AWS account.
  • Subnet — A range of IP addresses in your VPC.
  • Route table — A set of rules, called routes, that are used to determine where network traffic is directed.
  • Internet gateway — A gateway that you attach to your VPC to enable communication between resources in your VPC and the internet.
  • VPC endpoint — Enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.

What is EC2?

Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) cloud. Using Amazon EC2 eliminates your need to invest in hardware up front, so you can develop and deploy applications faster. You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage. Amazon EC2 enables you to scale up or down to handle changes in requirements or spikes in popularity, reducing your need to forecast traffic.

Amazon EC2 provides the following features:

  • Virtual computing environments, known as instances
  • Preconfigured templates for your instances, known as Amazon Machine Images (AMIs), that package the bits you need for your server (including the operating system and additional software)
  • Various configurations of CPU, memory, storage, and networking capacity for your instances, known as instance types
  • Secure login information for your instances using key pairs (AWS stores the public key, and you store the private key in a secure place)
  • Storage volumes for temporary data that’s deleted when you stop or terminate your instance, known as instance store volumes
  • Persistent storage volumes for your data using Amazon Elastic Block Store (Amazon EBS), known as Amazon EBS volumes
  • Multiple physical locations for your resources, such as instances and Amazon EBS volumes, known as Regions and Availability Zones
  • A firewall that enables you to specify the protocols, ports, and source IP ranges that can reach your instances using security groups
  • Static IPv4 addresses for dynamic cloud computing, known as Elastic IP addresses
  • Metadata, known as tags, that you can create and assign to your Amazon EC2 resources
  • Virtual networks you can create that are logically isolated from the rest of the AWS cloud, and that you can optionally connect to your own network, known as virtual private clouds (VPCs)

Task Description (Task-3):

We have to create a web portal for our company with all the security as much as possible. So, we use Wordpress software with dedicated database server. Database should not be accessible from the outside world for security purposes. We only need to public the WordPress to clients.

Steps to Follow :

1) Write a Infrastructure as code using terraform, which automatically create a VPC.

2) In that VPC we have to create 2 subnets:

a) public subnet [ Accessible for Public World! ]

b) private subnet [ Restricted for Public World! ]

3) Create a public facing internet gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC.

4) Create a routing table for Internet gateway so that instance can connect to outside world, update and associate it with public subnet.

5) Launch an ec2 instance which has Wordpress setup already having the security group allowing port 80 so that our client can connect to our wordpress site. Also attach the key to instance for further login into it.

6) Launch an ec2 instance which has MYSQL setup already with security group allowing port 3306 in private subnet so that our wordpress vm can connect with the same.

Also attach the key with the same.

Note: Wordpress instance has to be part of public subnet so that our client can connect our site. mysql instance has to be part of private subnet so that outside world can’t connect to it. Don’t forgot to add auto ip assign and auto dns name assignment option to be enabled.

Software Requirements :

  1. Terraform
  2. AWS CLI

Proceed to Code :

  1. Declaring our cloud provider and giving our account details so that Terraform can access our AWS account. We will also provide the region where we want to work and the version of AWS. We also declare other providers that will be useful in the code.
provider "aws" {
region = "ap-south-1"
profile = "lakshya"
version = "~> 2.70"
}
provider "local" {
version = "~> 1.4"
}
provider "tls" {
version = "~> 2.1"
}
provider "null" {
version = "~> 2.1"
}

2. Create a VPC.

resource "aws_vpc" "MY-VPC" {
cidr_block = "192.168.0.0/16"
instance_tenancy = "default"
enable_dns_hostnames = true
tags = {
Name = "MY-VPC"
}
}

3. Then, Create a pair of private and public subnets using the aws_subnet resource.

resource "aws_subnet" "MY-SUBNET-1" {
vpc_id = aws_vpc.MY-VPC.id
cidr_block = "192.168.0.0/24"
availability_zone = "ap-south-1a"
map_public_ip_on_launch = true
tags = {
Name = "MY-SUBNET-1"
}
}
resource "aws_subnet" "MY-SUBNET-2" {
vpc_id = aws_vpc.MY-VPC.id
cidr_block = "192.168.1.0/24"
availability_zone = "ap-south-1a"
tags = {
Name = "MY-SUBNET-2"
}
}

4. Create a Internet Gateway using the aws_internet_gateway resource.

resource "aws_internet_gateway" "MY-IGW" {
vpc_id = aws_vpc.MY-VPC.id
tags = {
Name = "MY-IGW"
}
}

5. Then, Create a Route Table using the aws_route_table resource and associate it with subnet.

resource "aws_route_table" "MY-RT" {
vpc_id = aws_vpc.MY-VPC.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.MY-IGW.id
}
tags = {
Name = "MY-RT"
}
}
resource "aws_route_table_association" "a" {
subnet_id = aws_subnet.MY-SUBNET-1.id
route_table_id = aws_route_table.MY-RT.id
}

6. Then, Create a private key using the tls_private_key resource.

resource "tls_private_key" "mykey" {
algorithm = "RSA"
}

7. Create a key pair using aws_key_pair resource.

resource "aws_key_pair" "kp" {
key_name = "mkey"
public_key = tls_private_key.mykey.public_key_openssh
depends_on = [
tls_private_key.mykey
]
}

8. Create a local file .

resource "local_file" "kf" {
content = tls_private_key.mykey.private_key_pem
filename = "mkey.pem"
}

9. Create a security group.

resource "aws_security_group" "SG-WP" {
name = "Allow_WordPress"
description = "Allow HTTP & SSH inbound traffic"
vpc_id = aws_vpc.MY-VPC.id
ingress {
description = "SSH"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "HTTP"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "SG-WP"
}
}

10. Launching MySQL & WordPress instances using the key and security group created in above steps.

resource "aws_instance" "MY_SQL" {
ami = "ami-0019ac6129392a0f2"
instance_type = "t2.micro"
key_name = aws_key_pair.kp.key_name
security_groups = [aws_security_group.SG-MYSQL.id]
subnet_id = aws_subnet.MY-SUBNET-2.id
tags = {
Name = "MY_SQL"
}
}
resource "aws_instance" "MY_WP" {
depends_on = [
aws_instance.MY_SQL
]
ami = "ami-000cbce3e1b899ebd"
instance_type = "t2.micro"
key_name = aws_key_pair.kp.key_name
security_groups = [aws_security_group.SG-WP.id]
subnet_id = aws_subnet.MY-SUBNET-1.id
tags = {
Name = "MY_WP"
}
}

11. In the final step, we will write the command to open the IP Address in Google Chrome Browser.

resource "null_resource" "null_local" {
depends_on = [
aws_instance.MY_WP
]
provisioner "local-exec" {
command = "start chrome ${aws_instance.MY_WP.public_ip}"
}
}

Commands to run the code :

On the terminal, just run the following commands -

# To initialize the plugins
Terraform init
# To validate the configuration file in the directory
Terraform validate
# To create the infrastructure
Terraform apply -auto-approve
#To destroy the infrastructure
Terraform destroy -auto-approve

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store