Infrastructure as Code repository for a technical interview at RapidScale. This repository contains all resources and policy definitions, as well as the deployment pipeline to put the entire application into production.
This project also integrates AWS Bedrock, leveraging Claude 3 Haiku foundational large language model (LLM), to support AI-powered question-answering capabilities within the application.
πTo access the application repository, please visit the following link: RapidScale Application Interview Repository
πTo access the presentation slides, please visit: Presentation slides.
- π‘Description
- πTable of Contents
- πProject Infrastructure Documentation
- ποΈTerraform docs
- πHow to install
This project leverages Infrastructure as Code (IaC) to deploy and manage a scalable, secure, and highly available application architecture on AWS. The architecture is designed following best practices for security, performance, and maintainability.
πTo access the application repository, please visit the following link: RapidScale Application Interview Repository
πTo access the presentation slides, please visit: Presentation slides.
To manage the Terraform state file and ensure safe concurrent operations, the following backend components are deployed:
- Amazon S3 Bucket:
- Stores the Terraform state file.
- Versioning is enabled to maintain state history and support rollbacks.
- Amazon DynamoDB Table:
- Manages state locking to prevent concurrent changes and ensure state consistency.
The infrastructure includes a Virtual Private Cloud (VPC) designed for high availability and segregation of public and private resources.
- Subnets:
- 2 Public Subnets: Deployed across two Availability Zones (AZs) to handle public-facing resources.
- 2 Private Subnets: Deployed across two AZs to host backend services securely.
- Routing:
- Public subnets route traffic to the internet via an Internet Gateway.
- Private subnets route outbound traffic through a NAT Gateway located in the public subnets.
An Application Load Balancer (ALB) is deployed in the public subnets to handle inbound traffic to the application. Key features:
- Multi-AZ Deployment: Ensures high availability by distributing traffic across multiple AZs.
- HTTPS Support: Secure communication is enforced with HTTPS.
- Target Groups: The ALB forwards traffic to target groups associated with the ECS service.
The private subnets host an Elastic Container Service (ECS) deployment running the containerized application. The application image is pulled from Amazon Elastic Container Registry (ECR).
- Service Deployment:
- Multi-AZ Support: Tasks are distributed across private subnets in different AZs to ensure availability.
- Task Definition:
- The application is containerized and runs as a task in ECS.
- The container image is securely fetched from Amazon ECR.
All application secrets, such as API keys, database credentials, and other sensitive information, are securely managed using AWS Secrets Manager.
- Secure Storage:
- Secrets are encrypted at rest using AWS KMS (Key Management Service).
- Dynamic Secrets:
- Secrets can be rotated automatically based on defined schedules, reducing exposure to stale credentials.
- Fine-Grained Access Control:
- Access to secrets is restricted using IAM policies to ensure only authorized ECS tasks can retrieve them.
- Integration with ECS:
- Secrets are securely injected into ECS tasks as environment variables, ensuring sensitive information is not exposed in logs or configuration files.
- Infrastructure Deployment:
- The infrastructure is defined using Terraform.
- Terraform provisions the following resources:
- S3 Bucket and DynamoDB Table for the backend.
- VPC with subnets, Internet Gateway, NAT Gateway, and routing configurations.
- Security groups for controlling traffic.
- ECS cluster, service, and task definition.
- ALB, listeners, and associated target groups.
- AWS Secrets Manager for managing application secrets.
- Application Deployment:
- The application is containerized and pushed to Amazon ECR via CI pipeline.
- ECS task definition is updated with the new container image, creating a new task revision via CI Pipeline.
- ECS service is updated to use the new task revision, triggering a rolling update of the service.
- ECS retrieves secrets from AWS Secrets Manager and injects them into the container environment.
- State Management:
- Terraform backend uses the S3 bucket for storing the state file and DynamoDB for locking to prevent concurrent operations ensuring state consistency.
- IAM Roles and Policies:
- Least privilege IAM roles are assigned to resources such as ECS tasks, ALB, and backend components.
- Secrets Management:
- Secrets are encrypted in AWS Secrets Manager and securely retrieved by ECS tasks.
- IAM policies ensure secrets are accessible only by authorized services.
- Network Isolation:
- Private subnets ensure backend services are not exposed to the internet.
- Security groups restrict traffic to only necessary ports.
- Data Encryption:
- S3 bucket is encrypted with SSE (Server-Side Encryption).
- The backup AZ ensures high availability in the case that the default AZ is not working, the service will be enabled from the second one.
- The ALB distributes incoming traffic across tasks efficiently.
- Immutable Infrastructure: Ensures predictable and consistent deployments.
- IaC (Infrastructure as Code): All resources are defined in Terraform for easy versioning and reproducibility, and applying modularity for reusability.
- Monitoring and Logging:
- AWS CloudWatch monitors ECS tasks, and other resources.
- Logs are centralized in CloudWatch for easy debugging.
- Secrets Management:
- AWS Secrets Manager is used for secure and centralized management of application secrets.
- Add VPC Endpoints for AWS Bedrock and Elastic Container Registry, for retrieving container images using AWS Backbone instead of the internet. Increasing the security levels of the resources in private subnets.
- Enable ECS task spot instances for cost optimization (depending on the application requirements).
- Implement autoscaling policies for ECS tasks based on CPU and memory utilization.
- Enable ALB access logs for monitoring and auditing.
- Resources
- Module/aws_ecr
- Module/aws_elastic_ip
- Module/aws_igw
- Module/aws_nat_gateway
- Module/aws_route
- Module/aws_route_table
- Module/aws_route_table_association
- Module/aws_subnet
- Module/aws_vpc
- Terraform installed on your local machine.
- AWS CLI installed and configured with appropriate credentials (To execute the CloudFormation stack, otherwise you can grab the template and load it manually into the AWS Console).
- Clone the repository:
git clone [email protected]:rcanelav/rs-infra.git cd rs-infra - Access the project directory:
- If CloudFormation template is going to be deployed from the local machine:
make oidc - Deploy the Terraform backend stack:
make backend-create - Generate TF vars template file:
make tfvars - Initialize Terraform:
cd src terraform init - Push commits to trigger the CI that validates the code and deploys the infrastructure. (You can also deploy it from your local but you will need the AWS CLI installed and an account configured with the required permissions) - If you want to know more about the deployment process
πTo access the application repository, please visit the following link: RapidScale Application Interview Repository
πTo access the presentation slides, please visit: Presentation slides.
Thanks for reading! π