# AWS ECS Microservices Infrastructure with Terraform This repository contains a complete Terraform infrastructure setup for an AWS ECS-based microservices architecture, matching the reference diagram provided. The infrastructure includes comprehensive security management tools, multi-AZ deployment, CI/CD pipeline, and MongoDB Atlas integration. ## 🏗️ Architecture Overview ### Components Included: #### 🔒 Security Management Tools - **IAM Users & Roles**: Comprehensive permission management - **AWS Inspector**: Container and EC2 security scanning - **Guard Duty**: Threat detection and monitoring - **Encryption Key (KMS)**: Data encryption at rest and in transit - **Cloud Trail**: API activity logging and auditing #### 🌐 Networking Infrastructure - **VPC**: Multi-AZ virtual private cloud - **Public Subnets**: Internet-facing components (ALB, NAT Gateway) - **Private Subnets**: Secure application and database tiers - **Internet Gateway**: External connectivity - **NAT Gateways**: Outbound internet access for private resources #### 🐳 Container Orchestration - **ECS Cluster**: Managed container orchestration - **Frontend Tasks**: Web application frontend services - **Backend Tasks**: API and business logic services - **Application Load Balancer**: Traffic distribution and SSL termination #### 🗄️ Database Layer - **MongoDB Atlas Cluster**: Managed NoSQL database via VPC Peering - **VPC Peering**: Secure connection to MongoDB Atlas #### 🚀 CI/CD Pipeline - **CodeCommit/GitHub**: Source control - **CodeBuild**: Build and test automation - **CodeDeploy**: Blue/green deployments to ECS - **CodePipeline**: End-to-end pipeline orchestration ## 📁 Project Structure ``` aws-ecs-microservices-terraform/ ├── main.tf # Main Terraform configuration ├── variables.tf # Input variables ├── outputs.tf # Output values ├── terraform.tfvars # Variable values (customize) └── modules/ ├── vpc/ # VPC, subnets, networking ├── security/ # IAM, GuardDuty, Inspector, KMS ├── alb/ # Application Load Balancer ├── ecs/ # ECS cluster and services ├── mongodb-atlas/ # MongoDB Atlas integration ├── codepipeline/ # CI/CD pipeline └── monitoring/ # CloudWatch and logging ``` ## 🚀 Quick Start ### Prerequisites 1. **AWS CLI**: Configured with appropriate permissions 2. **Terraform**: Version >= 1.0 installed 3. **MongoDB Atlas Account**: (Optional, for database integration) 4. **GitHub Repository**: For CI/CD pipeline ### Step 1: Clone and Configure ```bash # Navigate to the project directory cd C:\Users\user\Documents\aws-ecs-microservices-terraform # Copy example variables cp terraform.tfvars.example terraform.tfvars # Edit variables to match your environment # notepad terraform.tfvars ``` ### Step 2: Initialize Terraform ```bash terraform init ``` ### Step 3: Plan Deployment ```bash terraform plan ``` ### Step 4: Deploy Infrastructure ```bash terraform apply ``` ## 🔧 Configuration Variables ### Required Variables ```hcl project_name = "your-project-name" environment = "dev" # or staging, prod aws_region = "us-east-1" # GitHub Repository (for CI/CD) github_repo_owner = "your-github-username" github_repo_name = "your-repo-name" # Container Images frontend_image_uri = "your-ecr-repo/frontend:latest" backend_image_uri = "your-ecr-repo/backend:latest" ``` ### Optional Variables ```hcl # VPC Configuration vpc_cidr = "10.0.0.0/16" public_subnet_cidrs = ["10.0.1.0/24", "10.0.2.0/24"] private_subnet_cidrs = ["10.0.3.0/24", "10.0.4.0/24"] # ECS Task Resources frontend_cpu = 256 frontend_memory = 512 backend_cpu = 512 backend_memory = 1024 # Security Features enable_guard_duty = true enable_inspector = true enable_cloudtrail = true # MongoDB Atlas mongodb_atlas_project_id = "your-atlas-project-id" mongodb_cluster_instance_size = "M10" ``` ## 🗂️ Module Details ### VPC Module (`modules/vpc/`) - Creates multi-AZ VPC with public/private subnets - Sets up Internet Gateway and NAT Gateways - Configures route tables and associations - Includes VPC Flow Logs for network monitoring ### Security Module (`modules/security/`) - **IAM Roles**: ECS task execution and application roles - **Security Groups**: Layered security for ALB, frontend, and backend - **KMS Key**: Encryption key with automatic rotation - **GuardDuty**: Threat detection with S3, Kubernetes, and malware scanning - **Inspector V2**: Container and EC2 vulnerability assessment - **CloudTrail**: Comprehensive API activity logging ### ALB Module (`modules/alb/`) - Application Load Balancer with SSL/TLS termination - Target groups for frontend services - Health checks and routing rules - Integration with security groups ### ECS Module (`modules/ecs/`) - ECS Cluster with Fargate launch type - Frontend and backend service definitions - Task definitions with resource allocation - Auto Scaling policies - CloudWatch logging integration ### MongoDB Atlas Module (`modules/mongodb-atlas/`) - MongoDB Atlas cluster provisioning - VPC Peering configuration - Network security rules - Database user and access management ### CodePipeline Module (`modules/codepipeline/`) - Source stage (GitHub integration) - Build stage (CodeBuild for containerization) - Deploy stage (CodeDeploy to ECS) - Artifact management with S3 - IAM roles for pipeline execution ### Monitoring Module (`modules/monitoring/`) - CloudWatch Log Groups for all services - Custom metrics and alarms - Dashboard creation - SNS notifications for alerts ## 🔐 Security Best Practices ### Network Security - All application components in private subnets - Security groups with minimal required access - NACLs for additional subnet-level protection - VPC Flow Logs for network traffic monitoring ### Data Protection - KMS encryption for all data at rest - SSL/TLS for data in transit - Secrets Manager for sensitive configuration - Regular key rotation ### Access Control - Least privilege IAM policies - Role-based access for ECS tasks - Multi-factor authentication for human users - Service-to-service authentication ### Monitoring & Compliance - GuardDuty for threat detection - Inspector for vulnerability scanning - CloudTrail for audit logging - CloudWatch for operational monitoring ## 🚀 Deployment Workflow ### Development Workflow 1. **Code Changes**: Push to feature branch 2. **Pull Request**: Peer review process 3. **Merge to Main**: Triggers CI/CD pipeline 4. **Build**: CodeBuild creates container images 5. **Deploy**: Blue/green deployment to ECS 6. **Monitor**: CloudWatch and GuardDuty monitoring ### Production Deployment 1. **Infrastructure as Code**: All resources managed by Terraform 2. **Blue/Green Deployments**: Zero-downtime updates 3. **Health Checks**: Automated rollback on failure 4. **Monitoring**: Real-time metrics and alerting ## 📊 Cost Optimization ### Recommended Instance Types - **Development**: - Frontend: 256 CPU, 512 MB memory - Backend: 512 CPU, 1024 MB memory - MongoDB Atlas: M10 - **Production**: - Frontend: 512 CPU, 1024 MB memory - Backend: 1024 CPU, 2048 MB memory - MongoDB Atlas: M30+ ### Cost-Saving Features - Fargate Spot for non-critical workloads - Auto Scaling based on CPU/memory utilization - CloudWatch log retention policies - S3 lifecycle policies for artifacts ## 🧪 Testing ### Infrastructure Testing ```bash # Validate Terraform configuration terraform validate # Security scanning tflint checkov -f main.tf # Plan review terraform plan -out=tfplan ``` ### Application Testing - Container security scanning with Inspector - Load testing through ALB - Database connectivity testing - CI/CD pipeline validation ## 🔄 Updates and Maintenance ### Regular Maintenance Tasks - Review and update security groups - Monitor GuardDuty findings - Update container images with security patches - Review CloudTrail logs - Update Terraform provider versions ### Scaling Considerations - ECS service auto scaling - ALB target group capacity - MongoDB Atlas cluster scaling - VPC subnet capacity planning ## 🆘 Troubleshooting ### Common Issues 1. **ECS Task Startup Failures**: Check IAM roles and security groups 2. **ALB Health Check Failures**: Verify target group settings 3. **VPC Peering Issues**: Check route table configurations 4. **MongoDB Connectivity**: Verify security group rules and peering ### Monitoring Tools - CloudWatch Logs for application logs - GuardDuty for security alerts - Inspector for vulnerability reports - CloudTrail for API activity ## 📚 Additional Resources - [AWS ECS Best Practices](https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/) - [Terraform AWS Provider Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) - [MongoDB Atlas VPC Peering](https://docs.atlas.mongodb.com/security-vpc-peering/) - [AWS Security Best Practices](https://aws.amazon.com/architecture/security-identity-compliance/) ## 📄 License This project is licensed under the MIT License - see the LICENSE file for details. ## 🤝 Contributing 1. Fork the repository 2. Create a feature branch 3. Make your changes 4. Add tests if applicable 5. Submit a pull request ## 📞 Support For questions or issues: - Create an issue in this repository - Review AWS documentation - Check Terraform community resources# terraform-ecs-infra-code