Merge pull request #9 from rahuls512/three-tier-project

Created security group and merge the all SG in one sg.tf file,Applica…
rahuls512 · Jul 10, 2023 · 8dc4657 · 8dc4657
2 parents b6ed8eb + cf27d72
commit 8dc4657
Show file tree

Hide file tree

Showing 7 changed files with 315 additions and 54 deletions.
diff --git a/alb.tf b/alb.tf
@@ -0,0 +1,32 @@
+############# Application Load Balancer ################################################################################################
+resource "aws_lb" "this" {
+  name               = "three-tier-alb"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.lb_sg.id]
+  subnets            = [for each_subnet in aws_subnet.public_subnet : each_subnet.id]
+}
+############# Target group ALB ################################################################################################
+resource "aws_lb_target_group" "this" {
+  name     = "three-tier-tg"
+  port     = 80
+  protocol = "HTTP"
+  vpc_id   = aws_vpc.this.id
+}
+
+resource "aws_lb_target_group_attachment" "test" {
+  target_group_arn = aws_lb_target_group.this.arn
+  target_id        = aws_instance.web.id
+  port             = 80
+}
+############# Listener ALB  ################################################################################################
+resource "aws_lb_listener" "this" {
+  load_balancer_arn = aws_lb.this.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.this.arn
+  }
+}
diff --git a/app_server.tf b/app_server.tf
@@ -0,0 +1,161 @@
+module "asg" {
+  source  = "terraform-aws-modules/autoscaling/aws"
+  version = "6.10.0"
+  # Autoscaling group
+  name          = "application-asg"
+  instance_name = "application-server"
+
+  min_size                  = 0
+  max_size                  = 1
+  desired_capacity          = 1
+  wait_for_capacity_timeout = 0
+  health_check_type         = "EC2"
+  vpc_zone_identifier       = [element([for each_subnet in aws_subnet.private_subnet : each_subnet.id], 0)]
+
+  instance_refresh = {
+    strategy = "Rolling"
+    preferences = {
+      checkpoint_delay       = 600
+      checkpoint_percentages = [35, 70, 100]
+      instance_warmup        = 300
+      min_healthy_percentage = 50
+    }
+    triggers = ["tag"]
+  }
+
+  # Launch template
+  launch_template_name        = "application-lt"
+  launch_template_description = "Launch template for application server"
+  update_default_version      = true
+
+  image_id          = "ami-008b85aa3ff5c1b02"
+  instance_type     = "t3.micro"
+  key_name          = var.key_name
+  ebs_optimized     = true
+  enable_monitoring = true
+  security_groups   = [aws_security_group.application_server.id]
+
+  block_device_mappings = [
+    {
+      # Root volume
+      device_name = "/dev/xvda"
+      no_device   = 0
+      ebs = {
+        delete_on_termination = true
+        encrypted             = true
+        volume_size           = 20
+        volume_type           = "gp2"
+      }
+      }, {
+      device_name = "/dev/sda1"
+      no_device   = 1
+      ebs = {
+        delete_on_termination = true
+        encrypted             = true
+        volume_size           = 30
+        volume_type           = "gp2"
+      }
+    }
+  ]
+
+  capacity_reservation_specification = {
+    capacity_reservation_preference = "open"
+  }
+
+  cpu_options = {
+    core_count       = 1
+    threads_per_core = 1
+  }
+
+  credit_specification = {
+    cpu_credits = "standard"
+  }
+
+  # instance_market_options = {
+  #   market_type = "spot"
+  #   spot_options = {
+  #     block_duration_minutes = 60
+  #   }
+  # }
+
+  metadata_options = {
+    http_endpoint               = "enabled"
+    http_tokens                 = "required"
+    http_put_response_hop_limit = 32
+  }
+
+
+  placement = {
+    availability_zone = "us-west-1b"
+  }
+
+  # tag_specifications = [
+  #   {
+  #     resource_type = "instance"
+  #     tags          = { WhatAmI = "Instance" }
+  #   },
+  #   {
+  #     resource_type = "volume"
+  #     tags          = { WhatAmI = "Volume" }
+  #   },
+  #   {
+  #     resource_type = "spot-instances-request"
+  #     tags          = { WhatAmI = "SpotInstanceRequest" }
+  #   }
+  # ]
+
+  initial_lifecycle_hooks = [
+    {
+      name                  = "ExampleStartupLifeCycleHook"
+      default_result        = "CONTINUE"
+      heartbeat_timeout     = 60
+      lifecycle_transition  = "autoscaling:EC2_INSTANCE_LAUNCHING"
+      notification_metadata = jsonencode({ "hello" = "world" })
+    },
+    {
+      name                  = "ExampleTerminationLifeCycleHook"
+      default_result        = "CONTINUE"
+      heartbeat_timeout     = 180
+      lifecycle_transition  = "autoscaling:EC2_INSTANCE_TERMINATING"
+      notification_metadata = jsonencode({ "goodbye" = "world" })
+    }
+  ]
+
+  # Target scaling policy schedule based on average CPU load
+  scaling_policies = {
+    avg-cpu-policy-greater-than-50 = {
+      policy_type               = "TargetTrackingScaling"
+      estimated_instance_warmup = 1200
+      target_tracking_configuration = {
+        predefined_metric_specification = {
+          predefined_metric_type = "ASGAverageCPUUtilization"
+        }
+        target_value = 50.0
+      }
+    },
+    predictive-scaling = {
+      policy_type = "PredictiveScaling"
+      predictive_scaling_configuration = {
+        mode                         = "ForecastAndScale"
+        scheduling_buffer_time       = 10
+        max_capacity_breach_behavior = "IncreaseMaxCapacity"
+        max_capacity_buffer          = 10
+        metric_specification = {
+          target_value = 32
+          predefined_scaling_metric_specification = {
+            predefined_metric_type = "ASGAverageCPUUtilization"
+            resource_label         = "testLabel"
+          }
+          predefined_load_metric_specification = {
+            predefined_metric_type = "ASGTotalCPUUtilization"
+            resource_label         = "testLabel"
+          }
+        }
+      }
+    }
+  }
+
+  tags = {
+    Environment = "dev"
+  }
+}
diff --git a/bastion_host.tf b/bastion_host.tf
@@ -10,28 +10,4 @@ resource "aws_instance" "bastion_host" {
   }
   vpc_security_group_ids = [aws_security_group.bastion_host.id]
 }
-############# Bastion Host Security group ################################################################################################
-resource "aws_security_group" "bastion_host" {
-  name        = "Bastion-Host-SG"
-  description = "Allow ssh traffic into private subnet resource using this"
-  vpc_id      = aws_vpc.this.id
 
-  ingress {
-    description = "Allow ssh to bastion host from anywhere"
-    from_port   = 22
-    to_port     = 22
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = {
-    Name = "bastion-host-sg-allow"
-  }
-}
diff --git a/null_resource.tf b/null_resource.tf
@@ -17,10 +17,10 @@ resource "null_resource" "provisioner" {
   #   provisioner "local-exec" {  
   #   command = "scp -o StrictHostKeyChecking=no -i ~/../Downloads/awskey5.pem ~/../Downloads/awskey5.pem ec2-user@${self.public_ip}:~"  
   #  } 
- 
+
   #Provisioner-file to Automate the file by using the file path for bostion host 
   provisioner "file" {
-      # source = "/../Downloads/awskey01.pem"
+    # source = "/../Downloads/awskey01.pem"
     content     = var.awskey01
     destination = "/home/ec2-user/awskey01"
     on_failure  = continue

diff --git a/sg.tf b/sg.tf
@@ -0,0 +1,105 @@
+############# Web Server Security group ####################################################################################
+resource "aws_security_group" "web" {
+  name        = "web_server-SG"
+  description = "Allow web  traffic"
+  vpc_id      = aws_vpc.this.id
+
+  dynamic "ingress" {
+    for_each = var.inbound_rules_web
+    content {
+      description = ingress.value.description
+      protocol    = ingress.value.protocol
+      from_port   = ingress.value.port
+      to_port     = ingress.value.port
+      cidr_blocks = [aws_vpc.this.cidr_block]
+    }
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "web_server-sg-allow"
+  }
+}
+############# Bastion Host Security group ################################################################################################
+resource "aws_security_group" "bastion_host" {
+  name        = "Bastion-Host-SG"
+  description = "Allow ssh traffic into private subnet resource using this"
+  vpc_id      = aws_vpc.this.id
+
+  ingress {
+    description = "Allow ssh to bastion host from anywhere"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "bastion-host-sg-allow"
+  }
+}
+############# Application Server Security group ####################################################################################
+resource "aws_security_group" "application_server" {
+  name   = "allow_application_traffic"
+  vpc_id = aws_vpc.this.id
+
+  dynamic "ingress" {
+    for_each = var.inbound_rules_application
+    content {
+      description     = ingress.value.description
+      protocol        = ingress.value.protocol
+      from_port       = ingress.value.port
+      to_port         = ingress.value.port
+      security_groups = [aws_security_group.web.id]
+    }
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "allow_app_server"
+  }
+}
+############# Application Load Balancer ####################################################################################
+resource "aws_security_group" "lb_sg" {
+  name        = "allow_lb"
+  description = "Allow access to load balancer from internet"
+  vpc_id      = aws_vpc.this.id
+
+  ingress {
+    description = "Allow access to load balancer from internet"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "allow_alb_sg"
+  }
+}
diff --git a/variable.tf b/variable.tf
@@ -74,5 +74,20 @@ variable "bastion_instance_name" {
 variable "awskey01" {
   type = string
 }
+################# Application server security group ingress rule ###################################################################
+variable "inbound_rules_application" {
+  description = "ingress rule for security group of application server"
+  type = list(object({
+    port        = number
+    description = string
+    protocol    = string
+  }))
 
+  default = [
+    {
+      port        = 8080
+      description = "this is for app hosting"
+      protocol    = "tcp"
+  }]
+}
 
diff --git a/web_server.tf b/web_server.tf
@@ -11,31 +11,3 @@ resource "aws_instance" "web" {
   vpc_security_group_ids = [aws_security_group.web.id]
   #   user_data              = file("${path.module}/user_data.sh") #commentout bcz we are not use user_data.tf here
 }
-############# Web Server Security group ####################################################################################
-resource "aws_security_group" "web" {
-  name        = "web_server-SG"
-  description = "Allow web  traffic"
-  vpc_id      = aws_vpc.this.id
-
-  dynamic "ingress" {
-    for_each = var.inbound_rules_web
-    content {
-      description = ingress.value.description
-      protocol    = ingress.value.protocol
-      from_port   = ingress.value.port
-      to_port     = ingress.value.port
-      cidr_blocks = [aws_vpc.this.cidr_block]
-    }
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = {
-    Name = "web_server-sg-allow"
-  }
-}