Creating VPC Infrastucture: Terraform & Hosting WordPress

We have to create a web portal for our company with all the security as much as possible.

So, we use Wordpress software with dedicated database server.

Database should not be accessible from the outside world for security purposes.

We only need to public the WordPress to clients.

So here are the steps for proper understanding!

Steps:

1) Write a Infrastructure as code using terraform, which automatically create a VPC.

2) In that VPC we have to create 2 subnets:

  a) public subnet [ Accessible for Public World! ] 

  b) private subnet [ Restricted for Public World! ]

3) Create a public facing internet gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC.

4) Create a routing table for Internet gateway so that instance can connect to outside world, update and associate it with public subnet.

5) Launch an ec2 instance which has Wordpress setup already having the security group allowing port 80 so that our client can connect to our wordpress site.

Also attach the key to instance for further login into it.

6) Launch an ec2 instance which has MYSQL setup already with security group allowing port 3306 in private subnet so that our wordpress vm can connect with the same.

7)Also attach the key with the same.

Note:

• Wordpress instance has to be part of public subnet so that our client can connect our site. 
• MySQL instance has to be part of private subnet so that outside world can't connect to it.
• Don't forgot to add auto ip assign and auto dns name assignment option to be enabled.

Steps to be followed to complete the task:

First we define the provider

provider "aws" {
       profile= "shradha_seth"
       region = "ap-south-1"
}

create vpc

resource "aws_vpc" "myvpc" {
  cidr_block       = "192.168.0.0/16"
  instance_tenancy = "default"
  enable_dns_hostnames = true

}

create the required subnets(public and private both)

resource "aws_subnet" "publicsubnet" {
  vpc_id     = "${aws_vpc.myvpc.id}"
  cidr_block = "192.168.0.0/24"
  availability_zone = "ap-south-1a"
  map_public_ip_on_launch = true
}


resource "aws_subnet" "privatesubnet" {
  vpc_id     = "${aws_vpc.myvpc.id}"
  cidr_block = "192.168.1.0/24"
  availability_zone = "ap-south-1b"

}

create internet gateway

resource "aws_internet_gateway" "mygate" {
  vpc_id = "${aws_vpc.myvpc.id}"

}

create Route tables and associate it with VPC

vpc_id = "${aws_vpc.myvpc.id}"


  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = "${aws_internet_gateway.mygate.id}"
  }
}


resource "aws_route_table_association" "public-rt" {
  subnet_id      = aws_subnet.publicsubnet.id
  route_table_id = aws_route_table.my-rt.id

}

Now we need security for the ports , so lets get started with security groups for each of out instances. SG1 and SG2 are two security groups.

resource "aws_security_group" "sg1" {
  name        = "sg1"
  vpc_id      = "${aws_vpc.myvpc.id}"


  ingress {
    description = "HTTP"
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }


  ingress {
    description = "SSH"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }


  ingress {
    description = "HTTPS"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  
  ingress {
    from_port = -1
    to_port	= -1
    protocol	= "icmp"
    cidr_blocks = ["0.0.0.0/0"]
  }


  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}


----------------------------------------------------------------------------------



resource "aws_security_group" "sg2" {
  name        = "sg2"
  vpc_id      = "${aws_vpc.myvpc.id}"


  ingress {
    description = "SSH"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["${aws_subnet.publicsubnet.cidr_block}"]
  }


  ingress {
    description = "MYSQL/Aurora"
    from_port   = 3306
    to_port     = 3306
    protocol    = "tcp"
    cidr_blocks = ["${aws_subnet.publicsubnet.cidr_block}"]
  }


  ingress {
    description = "ICMP - IPv4"
    from_port = -1
    to_port	= -1
    protocol	= "icmp"
    cidr_blocks = ["${aws_subnet.publicsubnet.cidr_block}"]
  }
  
   egress {
    from_port   = 0
    to_port     = 0
    protocol    = -1
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Now we will be launching the wordpress and mysql instances with security groups & vpcs attached in it.

resource "aws_instance" "WordPress" {
ami           = "ami-0979674e4a8c6ea0c"
instance_type = "t2.micro"
key_name      = "tfkey"
subnet_id     = "${aws_subnet.publicsubnet.id}" 
vpc_security_group_ids = ["${aws_security_group.sg1.id}"]
}


resource "aws_instance" "MySql" {
ami           = "ami-76166b19"
instance_type = "t2.micro"
key_name      = "tfkey"
vpc_security_group_ids = ["${aws_security_group.sg2.id}"]
subnet_id     = "${aws_subnet.privatesubnet.id}"

}

After saving this code file run the following commands;

terraform init

terraform apply

and after running the code successfully, all your resources will be added

we need to LOGIN so we will use WINSCP to transfer the key into wordpress and from there we will access MYSQL using the key.

And we can directly login to webserver using the command below in cmd.

•  ssh -i MyKey1.pem -l bitnami@<wp IP>

 now to login into MYSQL we can use ssh in Wordpress instance,

Now we can ping it to google and see its not connect to outer world, keeping the security to its max.

Also we can login to WordPress from the web, using its public IP or DNS.

Thus the wordpress is working perfectly!!

THANK YOU.