AWS Scenarios

This guide provides practical deployment scenarios for AWS using Terraform, incorporating modern best practices and patterns for 2025.

ECS Fargate with Application Load Balancer

A production-ready ECS Fargate deployment with ALB:

module "ecs_cluster" {
  source = "./modules/ecs-cluster"

  name = "production"
  capacity_providers = ["FARGATE", "FARGATE_SPOT"]
  
  default_capacity_provider_strategy = [
    {
      capacity_provider = "FARGATE"
      weight = 60
      base = 1
    },
    {
      capacity_provider = "FARGATE_SPOT"
      weight = 40
    }
  ]

  container_insights = true
}

module "ecs_service" {
  source = "./modules/ecs-service"

  name = "api-service"
  cluster_id = module.ecs_cluster.id
  
  task_definition = {
    cpu = 1024
    memory = 2048
    container_definitions = [
      {
        name = "api"
        image = "${var.ecr_repository_url}:latest"
        cpu = 512
        memory = 1024
        essential = true
        portMappings = [
          {
            containerPort = 8080
            protocol = "tcp"
          }
        ]
        environment = [
          {
            name = "ENV"
            value = "production"
          }
        ]
        logConfiguration = {
          logDriver = "awslogs"
          options = {
            awslogs-group = "/ecs/api-service"
            awslogs-region = var.aws_region
            awslogs-stream-prefix = "api"
          }
        }
      }
    ]
  }

  networking = {
    subnets = var.private_subnet_ids
    security_groups = [aws_security_group.ecs_tasks.id]
    assign_public_ip = false
  }

  load_balancer = {
    target_group_arn = module.alb.target_group_arns[0]
    container_name = "api"
    container_port = 8080
  }

  auto_scaling = {
    min_capacity = 2
    max_capacity = 10
    cpu_threshold = 75
    memory_threshold = 75
  }

  enable_execute_command = true
}

Multi-Account AWS Organization

Setting up a secure multi-account AWS organization:

module "organization" {
  source = "./modules/aws-organization"

  feature_set = "ALL"
  aws_service_access_principals = [
    "cloudtrail.amazonaws.com",
    "config.amazonaws.com",
    "sso.amazonaws.com"
  ]

  enabled_policy_types = [
    "SERVICE_CONTROL_POLICY",
    "TAG_POLICY"
  ]

  organizational_units = {
    infrastructure = {
      name = "Infrastructure"
      accounts = ["networking", "security"]
    }
    workloads = {
      name = "Workloads"
      accounts = ["dev", "staging", "prod"]
    }
    platform = {
      name = "Platform"
      accounts = ["logging", "monitoring", "backup"]
    }
  }

  accounts = {
    networking = {
      email = "aws-networking@example.com"
      name  = "Networking Account"
    }
    security = {
      email = "aws-security@example.com"
      name  = "Security Account"
    }
    // ... other accounts
  }

  service_control_policies = {
    deny_root_user = {
      name = "DenyRootUser"
      description = "Deny root user access"
      policy = jsonencode({
        Version = "2012-10-17"
        Statement = [
          {
            Sid = "DenyRootUser"
            Effect = "Deny"
            Action = "*"
            Resource = "*"
            Condition = {
              StringLike = {
                "aws:PrincipalArn": [
                  "arn:aws:iam::*:root"
                ]
              }
            }
          }
        ]
      })
    }
  }
}

Secure VPC with Transit Gateway

Deploy a secure VPC architecture with Transit Gateway:

module "transit_gateway" {
  source = "./modules/transit-gateway"

  name = "main-tgw"
  description = "Main Transit Gateway"
  
  amazon_side_asn = 64512
  
  enable_auto_accept_shared_attachments = true
  enable_default_route_table_association = false
  enable_default_route_table_propagation = false
  
  tags = local.common_tags
}

module "vpc" {
  source = "./modules/vpc"
  
  for_each = {
    prod = {
      cidr = "10.0.0.0/16"
      azs = ["us-west-2a", "us-west-2b", "us-west-2c"]
    }
    staging = {
      cidr = "10.1.0.0/16"
      azs = ["us-west-2a", "us-west-2b"]
    }
  }

  name = "${each.key}-vpc"
  cidr = each.value.cidr
  azs  = each.value.azs
  
  private_subnets = [for i, az in each.value.azs : cidrsubnet(each.value.cidr, 8, i)]
  public_subnets  = [for i, az in each.value.azs : cidrsubnet(each.value.cidr, 8, i + length(each.value.azs))]
  
  enable_nat_gateway = true
  single_nat_gateway = each.key == "staging"
  
  enable_vpn_gateway = false
  
  enable_transit_gateway_attachment = true
  transit_gateway_id = module.transit_gateway.id
  
  tags = merge(local.common_tags, {
    Environment = each.key
  })
}

EKS Cluster with Node Groups

Deploy a production-ready EKS cluster:

module "eks" {
  source = "./modules/eks"

  cluster_name = "prod-eks"
  cluster_version = "1.28"

  vpc_config = {
    subnet_ids = var.private_subnet_ids
    endpoint_private_access = true
    endpoint_public_access  = true
    public_access_cidrs    = ["ADMIN_IP/32"]
  }

  cluster_addons = {
    coredns = {
      most_recent = true
    }
    kube-proxy = {
      most_recent = true
    }
    vpc-cni = {
      most_recent = true
    }
    aws-ebs-csi-driver = {
      most_recent = true
    }
  }

  node_groups = {
    system = {
      desired_size = 2
      min_size     = 2
      max_size     = 4

      instance_types = ["m6i.large"]
      capacity_type  = "ON_DEMAND"
      
      labels = {
        role = "system"
      }
      
      taints = [
        {
          key    = "dedicated"
          value  = "system"
          effect = "NO_SCHEDULE"
        }
      ]
    }
    
    application = {
      desired_size = 3
      min_size     = 3
      max_size     = 10

      instance_types = ["m6i.xlarge"]
      capacity_type  = "SPOT"
      
      labels = {
        role = "application"
      }
    }
  }

  aws_auth_roles = [
    {
      rolearn  = "arn:aws:iam::66666666666:role/role1"
      username = "role1"
      groups   = ["system:masters"]
    },
  ]

  aws_auth_users = [
    {
      userarn  = "arn:aws:iam::66666666666:user/user1"
      username = "user1"
      groups   = ["system:masters"]
    },
  ]

  tags = local.common_tags
}

Aurora Serverless v2 Database

Deploy a highly available Aurora Serverless v2 cluster:

module "aurora_serverless_v2" {
  source = "./modules/aurora-serverless-v2"

  cluster_name = "prod-aurora"
  engine      = "aurora-postgresql"
  engine_version = "14.6"
  
  database_name = "application"
  master_username = "admin"
  
  vpc_config = {
    vpc_id = var.vpc_id
    subnet_ids = var.database_subnet_ids
    allowed_security_group_ids = var.application_security_group_ids
  }

  serverless_config = {
    min_capacity = 0.5
    max_capacity = 16
  }

  backup_config = {
    retention_period = 30
    preferred_window = "03:00-04:00"
  }

  monitoring_config = {
    enhanced_monitoring_interval = 30
    enable_performance_insights = true
    performance_insights_retention = 7
  }

  scaling_config = {
    auto_pause = true
    min_capacity = 0.5
    max_capacity = 16
    seconds_until_auto_pause = 300
    timeout_action = "ForceApplyCapacityChange"
  }

  tags = local.common_tags
}

CloudFront with S3 Origin

Deploy a secure CloudFront distribution with S3:

module "static_website" {
  source = "./modules/static-website"

  domain_name = "example.com"
  environment = "production"

  origin_config = {
    s3_bucket_name = "example-static-content"
    
    origin_access_identity = {
      comment = "Access identity for example.com static content"
    }
  }

  cdn_config = {
    price_class = "PriceClass_All"
    
    custom_error_responses = [
      {
        error_code = 404
        response_code = 200
        response_page_path = "/index.html"
      }
    ]
    
    cache_policy = {
      min_ttl = 0
      default_ttl = 3600
      max_ttl = 86400
      
      cookies = {
        forward = "none"
      }
      
      headers = [
        "Origin",
        "Access-Control-Request-Headers",
        "Access-Control-Request-Method"
      ]
      
      query_strings = {
        forward = "none"
      }
    }
  }

  security_config = {
    waf_web_acl_id = var.waf_web_acl_id
    ssl_certificate_arn = var.acm_certificate_arn
    minimum_protocol_version = "TLSv1.2_2021"
  }

  tags = local.common_tags
}

Best Practices

1. Resource Tagging Strategy

locals {
  mandatory_tags = {
    Environment  = var.environment
    Project      = var.project_name
    Owner        = var.team_email
    CostCenter   = var.cost_center
    ManagedBy    = "terraform"
  }
  
  resource_tags = merge(local.mandatory_tags, var.additional_tags)
}

resource "aws_resourcegroups_group" "project" {
  name = "project-resources"

  resource_query {
    query = jsonencode({
      ResourceTypeFilters = ["AWS::AllSupported"]
      TagFilters = [
        {
          Key = "Project"
          Values = [var.project_name]
        }
      ]
    })
  }
}

2. IAM Role Strategy

module "iam_roles" {
  source = "./modules/iam-roles"

  environment = var.environment
  
  custom_roles = {
    application = {
      trusted_services = ["ec2.amazonaws.com"]
      custom_policies = [
        {
          name = "ApplicationS3Access"
          policy = jsonencode({
            Version = "2012-10-17"
            Statement = [
              {
                Effect = "Allow"
                Action = [
                  "s3:GetObject",
                  "s3:ListBucket"
                ]
                Resource = [
                  "arn:aws:s3:::${var.application_bucket}",
                  "arn:aws:s3:::${var.application_bucket}/*"
                ]
              }
            ]
          })
        }
      ]
      managed_policy_arns = [
        "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess",
        "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
      ]
    }
  }
}

3. Security Groups

module "security_groups" {
  source = "./modules/security-groups"

  vpc_id = var.vpc_id
  
  groups = {
    web = {
      name = "web-tier"
      description = "Security group for web tier"
      ingress_rules = [
        {
          from_port = 443
          to_port = 443
          protocol = "tcp"
          cidr_blocks = ["0.0.0.0/0"]
          description = "HTTPS from anywhere"
        }
      ]
    }
    app = {
      name = "app-tier"
      description = "Security group for application tier"
      ingress_rules = [
        {
          from_port = 8080
          to_port = 8080
          protocol = "tcp"
          source_security_group_id = "web"
          description = "Access from web tier"
        }
      ]
    }
    db = {
      name = "db-tier"
      description = "Security group for database tier"
      ingress_rules = [
        {
          from_port = 5432
          to_port = 5432
          protocol = "tcp"
          source_security_group_id = "app"
          description = "PostgreSQL access from app tier"
        }
      ]
    }
  }
}

Testing

Integration Tests with Terratest

package test

import (
    "testing"
    "github.com/gruntwork-io/terratest/modules/aws"
    "github.com/gruntwork-io/terratest/modules/terraform"
    "github.com/stretchr/testify/assert"
)

func TestECSDeployment(t *testing.T) {
    t.Parallel()

    terraformOptions := &terraform.Options{
        TerraformDir: "../examples/ecs-service",
        
        Vars: map[string]interface{}{
            "environment": "test",
            "region": "us-west-2",
        },
        
        EnvVars: map[string]string{
            "AWS_DEFAULT_REGION": "us-west-2",
        },
    }
    
    defer terraform.Destroy(t, terraformOptions)
    terraform.InitAndApply(t, terraformOptions)
    
    // Verify ECS Cluster exists
    clusterName := terraform.Output(t, terraformOptions, "cluster_name")
    cluster := aws.GetEcsCluster(t, "us-west-2", clusterName)
    assert.Equal(t, "ACTIVE", *cluster.Status)
    
    // Verify ECS Service is running
    serviceName := terraform.Output(t, terraformOptions, "service_name")
    service := aws.GetEcsService(t, "us-west-2", clusterName, serviceName)
    assert.Equal(t, "ACTIVE", *service.Status)
}

Last updated