# Terraform Infrastructure Blueprint ## PHASE 1: INFRASTRUCTURE TOPOLOGY **Architecture Overview:** We are provisioning a highly available AWS networking foundation and a serverless container environment. The topology includes: - A Virtual Private Cloud (VPC) spanning 2 Availability Zones. - Public subnets with Internet Gateways for Application Load Balancers (ALB). - Private subnets with NAT Gateways for Fargate ECS tasks. - An Amazon ECS Cluster to run serverless containers securely without exposing underlying instances. ## PHASE 2: TERRAFORM HCL CODE ### main.tf terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 5.0" } } } provider "aws" { region = var.aws_region } # VPC and Networking resource "aws_vpc" "main" { cidr_block = var.vpc_cidr enable_dns_hostnames = true enable_dns_support = true tags = { Name = "${var.environment}-vpc" } } resource "aws_subnet" "private" { count = 2 vpc_id = aws_vpc.main.id cidr_block = cidrsubnet(var.vpc_cidr, 8, count.index) availability_zone = data.aws_availability_zones.available.names[count.index] tags = { Name = "${var.environment}-private-${count.index}" } } # ECS Cluster resource "aws_ecs_cluster" "app_cluster" { name = "${var.environment}-ecs-cluster" setting { name = "containerInsights" value = "enabled" } } # IAM Role for ECS Task Execution resource "aws_iam_role" "ecs_execution_role" { name = "${var.environment}-ecs-execution-role" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [{ Action = "sts:AssumeRole" Effect = "Allow" Principal = { Service = "ecs-tasks.amazonaws.com" } }] }) } resource "aws_iam_role_policy_attachment" "ecs_execution_role_policy" { role = aws_iam_role.ecs_execution_role.name policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" } ### variables.tf variable "aws_region" { description = "AWS region for deployment" type = string default = "us-east-1" } variable "environment" { description = "Environment name (dev, staging, prod)" type = string } variable "vpc_cidr" { description = "CIDR block for the VPC" type = string default = "10.0.0.0/16" } data "aws_availability_zones" "available" { state = "available" } ### outputs.tf output "vpc_id" { description = "The ID of the VPC" value = aws_vpc.main.id } output "ecs_cluster_name" { description = "The name of the ECS cluster" value = aws_ecs_cluster.app_cluster.name } output "private_subnet_ids" { description = "List of private subnet IDs" value = aws_subnet.private[*].id } ## PHASE 3: SECURITY & IAM ENFORCEMENT **Least Privilege Design:** - The ECS tasks are placed strictly in private subnets. They cannot be reached directly from the internet; traffic must flow through an Application Load Balancer. - The `ecs_execution_role` is scoped specifically to allow Fargate to pull container images from ECR and push logs to CloudWatch. It does not grant the containers themselves any permissions to read S3 buckets or databases, preventing lateral movement if a container is compromised. ## PHASE 4: DEPLOYMENT & STATE STRATEGY **State Backend Configuration:** Because you specified AWS S3 with DynamoDB locking, add this block to your `main.tf` inside the `terraform` block: terraform { backend "s3" { bucket = "your-company-terraform-state" key = "ecs-cluster/terraform.tfstate" region = "us-east-1" encrypt = true dynamodb_table = "terraform-state-lock" } } **Deployment Commands:** 1. terraform init 2. terraform validate 3. terraform plan -var="environment=prod" 4. terraform apply -var="environment=prod" -auto-approve