Production-ready Terraform infrastructure for deploying containerized applications on AWS
A complete, modular Terraform setup that provisions a full AWS infrastructure with separate dev, staging, and production environments. Perfect for teams looking to deploy scalable, secure, and cost-optimized containerized applications.
This template provides everything you need to run a production-grade containerized application on AWS:
- ποΈ Complete Infrastructure: VPC, Load Balancers, Databases, Container Services, and more
- π Security First: Private subnets, security groups, bastion host for secure access
- π Auto-Scaling: ECS Fargate with CPU/memory-based scaling
- π° Cost Optimized: FARGATE_SPOT for non-prod, right-sized instances
- π CI/CD Ready: GitHub Actions integration with ECR
- π Multi-Environment: Fully isolated dev, staging, and production environments
- π Observable: CloudWatch logs and metrics built-in
Total Resources: ~113 AWS resources across all environments
| Component | Description | Environments |
|---|---|---|
| VPC | Multi-AZ with public/private subnets, NAT gateways | Shared |
| ALB | Application Load Balancers with health checks | 3 (dev, staging, prod) |
| ECS Fargate | Serverless container orchestration with auto-scaling | 3 (dev, staging, prod) |
| RDS PostgreSQL | Managed databases (Multi-AZ for prod) | 3 (dev, staging, prod) |
| ECR | Private Docker container registry | Shared |
| Bastion Host | Secure SSH access to databases | Shared |
| Route53 | DNS management (optional) | Shared |
| Secrets Manager | Secure credential storage | 3 (dev, staging, prod) |
| CloudWatch | Logs and monitoring | All resources |
| GitHub Actions | Automated CI/CD pipeline | Included |
| Resource | Dev | Staging | Production |
|---|---|---|---|
| ECS Tasks | 1-4 (SPOT) | 1-4 (SPOT) | 2-10 (On-Demand) |
| Task Size | 256 CPU / 512 MB | 256 CPU / 512 MB | 512 CPU / 1024 MB |
| RDS Instance | db.t3.medium | db.t3.large | db.r6g.2xlarge |
| RDS Storage | 20 GB | 50 GB | 100-1000 GB (auto-scale) |
| Multi-AZ | No | No | Yes |
| Backups | 7 days | 7 days | 30 days |
aws-env-template/
βββ π vpc/ # VPC, subnets, NAT gateways, routing
βββ π security-groups/ # Security groups for ALB, ECS, RDS
βββ π alb/ # Application Load Balancers
βββ π database/ # RDS PostgreSQL databases
βββ π ecr/ # Container registry
βββ π ecs/ # ECS Fargate clusters & services
βββ π bastion/ # Bastion host for DB access
βββ π route53/ # DNS configuration (optional)
βββ π ci-cd/ # GitHub Actions workflow for deployments
βββ π ARCHITECTURE.md # Detailed architecture documentation
βββ π GETTING-STARTED.md # Step-by-step deployment guide
βββ π architecture.mmd # Mermaid diagram
βββ π README.md # This file
Each module is self-contained with:
main.tf- Resource definitionsvariables.tf- Input variablesoutputs.tf- Output valuesREADME.md- Module-specific documentationterraform.tfvars- You create this with your values
- β AWS account with appropriate permissions
- β
AWS CLI installed and configured (
aws configure) - β Terraform >= 1.0 installed
- β Basic knowledge of AWS, Terraform, and Docker
π See GETTING-STARTED.md for detailed step-by-step instructions.
Quick overview:
- Clone this repository
- Configure each module's
terraform.tfvarswith your project name - Deploy modules in order: VPC β Security Groups β ALB β Database β ECR β ECS β Bastion β Route53
- Deploy your application using the ECR repository and GitHub Actions
Deployment time: ~30-45 minutes for all modules
| Document | Description |
|---|---|
| GETTING-STARTED.md | Complete step-by-step deployment guide |
| ARCHITECTURE.md | Detailed architecture diagrams and explanations |
| ci-cd/README.md | GitHub Actions CI/CD setup and configuration |
| architecture.mmd | Mermaid diagrams (view on GitHub) |
| Module READMEs | Specific instructions for each infrastructure component |
βββββββββββββββ
β Internet β
β (Users) β
ββββββββ¬βββββββ
β
β
ββββββββββββββββββββββββ
β Application Load β
β Balancer β β Public Subnet
ββββββββ¬ββββββββββββββββ
β
β
ββββββββββββββββββββββββ
β ECS Fargate β
β (Auto-scaling) β β Private App Subnet
ββββββββ¬ββββββββββββββββ
β
β
ββββββββββββββββββββββββ
β RDS PostgreSQL β
β (Multi-AZ for prod) β β Private DB Subnet
ββββββββββββββββββββββββ
| Feature | Description |
|---|---|
| π Multi-Environment | Fully isolated dev, staging, and production environments |
| π Auto-Scaling | ECS tasks scale based on CPU and memory metrics |
| π Security | Private subnets, security groups, encrypted databases |
| π High Availability | Multi-AZ deployment for production databases and load balancers |
| π Monitoring | CloudWatch logs, metrics, and alarms for all services |
| π CI/CD Ready | GitHub Actions workflows for automated deployments |
| πΎ Backup & Recovery | Automated RDS backups (7-30 days retention) |
| π Secrets Management | AWS Secrets Manager for database credentials |
π See ARCHITECTURE.md for detailed diagrams and network flow explanations.
| Service | Dev | Staging | Prod | Monthly Total |
|---|---|---|---|---|
| NAT Gateway | $32 | $32 | $32 | $96 |
| ALB | $16 | $16 | $16 | $48 |
| ECS Fargate | $15 | $30 | $60 | $105 |
| RDS PostgreSQL | $50 | $100 | $200 | $350 |
| ECR | $1 | $1 | $1 | $3 |
| Secrets Manager | $1.20 | $1.20 | $1.20 | $3.60 |
| Bastion Host | - | - | $7.50 | $7.50 |
| Total | ~$115 | ~$180 | ~$318 | ~$613/month |
This template includes several cost optimizations:
- β FARGATE_SPOT for dev/staging (50% cheaper than on-demand)
- β Right-sized instances (smaller for dev, larger for prod)
- β RDS storage auto-scaling (pay only for what you use)
- β Lifecycle policies on ECR (keep only recent images)
Additional savings:
- π‘ Stop dev/staging environments during off-hours (~40% savings)
- π‘ Use Reserved Instances for production RDS (~30% savings)
- π‘ Enable S3 lifecycle policies for logs (~50% savings on storage)
This template is designed to be easily customizable:
Update the project variable in each module's terraform.tfvars:
project = "my-app"Change the region variable to deploy in a different region:
region = "ap-south-1"Adjust resources in module main.tf files:
- ECS: Task count, CPU/memory allocation
- RDS: Instance class, storage size
- VPC: CIDR blocks, subnet configuration
π See each module's README for specific customization options.
All resources include CloudWatch integration:
- ECS Logs:
/ecs/<project>-<env> - RDS Logs: Automated to CloudWatch
- ALB Access Logs: Optional S3 bucket
View logs:
aws logs tail /ecs/your-app-dev --follow- RDS: Automated daily backups (7-30 days retention)
- Snapshots: Manual snapshots before major changes
- Secrets: Versioned in Secrets Manager
- ECS: Auto-scales based on CPU/memory (configured per environment)
- RDS: Manual scaling (requires brief downtime)
- ALB: Automatically scales with traffic
π See GETTING-STARTED.md for operational procedures.
To destroy all infrastructure:
# See GETTING-STARTED.md for detailed cleanup instructions
cd route53 && terraform destroy
cd ../bastion && terraform destroy
cd ../ecs && terraform destroy
# ... (continue in reverse order)Can I use this for a single environment?
Yes! Simply deploy only the modules you need for one environment. Modify the Terraform code to remove the environment loops.
Does this support HTTPS/SSL?
The ALB is configured for HTTP. For HTTPS, add an ACM certificate and update the ALB listener. See alb/README.md for instructions.
Can I use Aurora instead of RDS?
Yes! Modify database/main.tf to use Aurora PostgreSQL. Note: Aurora is more expensive but offers better scalability.
How do I add more environments?
Add the environment to the environments variable in each module and run terraform apply.
Is this production-ready?
Yes! This template follows AWS best practices and is suitable for production workloads. However, review and adjust based on your specific requirements.
| Issue | Solution |
|---|---|
| ECS tasks not starting | Check CloudWatch logs, verify ECR image exists |
| ALB health checks failing | Ensure /health endpoint returns 200, check security groups |
| Database connection errors | Verify security groups, check Secrets Manager passwords |
| Terraform state locked | Wait for other operations to complete or force unlock |
π See GETTING-STARTED.md for detailed troubleshooting steps.
Contributions are welcome! Please feel free to submit a Pull Request. For major changes, please open an issue first to discuss what you would like to change.
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
TL;DR: You can use this template for personal or commercial projects, modify it, and distribute it freely.
- Built following AWS Well-Architected Framework best practices
- Inspired by real-world production deployments
- Community feedback and contributions
- π Documentation: Check GETTING-STARTED.md and module READMEs
- π Issues: Open an issue on GitHub
- π¬ Discussions: Start a discussion for questions
- β Star this repo if you find it helpful!
