From time to time, I provide training sessions related to AWS for DevOps and Terraform for beginners.

The last group asked me if they could consider themselves advanced in AWS and Terraform if they are able to write code like this by themselves - https://github.com/infoshareacademy/devops-workshop-08.05.24.

Initially, I said yes, but now I have second thoughts.

That code is neither good nor bad; it was created for a specific purpose:

• provide a 1.5-hour online workshop/presentation,

• allow me to avoid making mistakes and focus on the topic,

• show something working to participants.

In my 9 to 5 job, I’m doing Platform DevOps tasks on AWS for the 5th largest bank in the world. I’m working on multiple accounts, regions, and services, building internal infrastructure, and helping project teams to onboard into the cloud. But I’m running a platform!

I decided to verify my end-to-end knowledge and build and describe here a simple container-based application on AWS but with enterprise-grade infrastructure and security.

Disclaimer

This entire project will incur costs, so if you plan to use my code, please keep an eye on your account expenses, for example, by setting up a Budget and Budget Reports.

Plan a.k.a. Check List

1. Networking

2. High availability

3. Installation

4. Configuration

5. Provisioning

6. Deployment

7. Security

8. Monitoring

9. Logs

10. Backup and restore

11. Scalability

12. Performance

13. Cost optimization

14. Documentation

15. Tests

Networking

This part is quite simple. I will build a dedicated VPC for my application. There will be a subnet for containers, a dedicated subnet for the database, and a dedicated subnet for building my containers. Building containers will require internet access, so only this subnet will have outbound access via a NAT Gateway and an Internet Gateway.

There will be a second VPC to access my application from the internet, and a third VPC to establish connectivity from the internal corporate network (which, in my case, will be a VPN connection to AWS from my laptop).

High Availability

I will use the Ireland (eu-west-1) region as my primary region. It has three Availability Zones where I will distribute my subnets. To keep things simple and reduce costs, I will create my build infrastructure in only one Availability Zone (and use one NAT Gateway).

In the external access VPC, I will set up an Application Load Balancer across three subnets and route traffic via VPC Private Link to my Application VPC. A similar setup will be used for the internal access VPC.

Installation

Here, I will use AWS CodeBuild to build my container image and store it in AWS Elastic Container Registry. CodeBuild project will be running in VPC in dedicated subnet.

Configuration

As I’m going to use Docker images running on Elastic Container Service I will use Dockerfile stored on S3. Of course all configuration files and IaC code will be stored on GitHub. I will use Code Connections to trigger build on push to main branch. If I will need to store any secrets then AWS Secrets Manager will be used.

Provisioning

I will use Terraform for Infrastructure as Code and GitHub Actions for CI/CD. I'm considering trying Terraform Cloud, but for now, I'll stick with what I know—GitHub Actions.

The most important thing is to choose a CI/CD system that your company already uses. Don't reinvent the wheel! If you don't have a certified CI/CD system, purchase one. There are many enterprise-grade CI/CD systems for Terraform and AWS, such as Terraform Cloud, env0, and Spacelift. Focus on building products that generate revenue for your company, not on building your own CI/CD system.

Deployment

Elastic Container Service will be used as an orchestration tool. You might have expected to see Kubernetes/EKS here, right? I'm not familiar enough with EKS to teach others how to deploy it. ECS is simple and suitable for most use cases. It is feature-rich and easy to maintain.

To be continued ….