Add Terraform GitHub Actions workflow and setup

Author: Helenaden

.github/workflows/terraform-ci-cd.yml

@@ -0,0 +1,76 @@
+# This workflow uses OpenID Connect (OIDC) to securely authenticate with AWS.
+# It eliminates the need to store long-lived AWS Access Keys as GitHub secrets.
+
+name: 'Terraform CI/CD'
+
+on:
+  push:
+    branches:
+      - main
+
+# Grant the GitHub Actions runner permissions to get an ID token.
+permissions:
+  id-token: write  # This is crucial for OIDC authentication
+  contents: read
+
+jobs:
+  terraform:
+    name: 'Terraform Plan and Apply'
+    runs-on: ubuntu-latest
+    
+    steps:
+      # Step 1: Checkout the repository code.
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      # Step 2: Configure AWS credentials using OIDC.
+      # This action assumes an IAM role in your AWS account using a short-lived token.
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          # The IAM role ARN to assume.
+          # We now use the GitHub secret for the AWS account ID.
+          role-to-assume: 'arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubActionsRole'
+          # Use the repository variable for the AWS region.
+          aws-region: ${{ vars.AWS_REGION }}
+
+      # Step 3: Install the latest version of Terraform.
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.12.2
+
+      # Step 4: Inject sensitive variables from a GitHub Secret.
+      - name: Create tfvars file from secret
+        env:
+          TF_VARS: ${{ secrets.TF_VARS_CONTENT }}
+        run: echo "$TF_VARS" > terraform.tfvars
+
+      # Step 5: Initialize the Terraform project.
+      - name: Terraform Init
+        id: init
+        run: terraform init
+
+      # Step 6: Run Checkov to scan for IaC security vulnerabilities.
+      - name: Run Checkov
+        id: checkov
+        uses: bridgecrewio/checkov-action@v12
+        with:
+          framework: terraform
+          directory: '.'
+        continue-on-error: true
+
+      # Step 7: Validate the Terraform code.
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate
+
+      # Step 8: Create a Terraform plan.
+      - name: Terraform Plan
+        id: plan
+        run: terraform plan -no-color -var-file=terraform.tfvars
+
+      # Step 9: Apply the Terraform plan.
+      - name: Terraform Apply
+        if: github.ref == 'refs/heads/main'
+        run: terraform apply -auto-approve -var-file=terraform.tfvars

.gitignore

@@ -2,4 +2,9 @@
 .terraform
 .terraform.lock.hcl
 *.tfstate
-*.tfstate.backup
+*.tfstate.backup
+*.tfvars
+# This is a good practice to avoid exposing your AWS credentials if you're using them.
+.aws/credentials
+# EC2 key pair file
+ec2-new-key.pem

app_load_balancer.tf

@@ -0,0 +1,47 @@
+# load_balancer.tf
+
+# Application Load Balancer
+# amazonq-ignore-next-line
+# amazonq-ignore-next-line
+resource "aws_lb" "web_alb" {
+  name               = "web-alb"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.alb_security_group.id]
+  subnets            = [aws_subnet.public-web-subnet-1.id, aws_subnet.public-web-subnet-2.id] # Assumes public subnet variables exist
+
+  tags = {
+    Name = "Web ALB"
+  }
+}
+
+# Target Group to route traffic to the web tier EC2 instances
+resource "aws_lb_target_group" "web_target_group" {
+  name     = "web-tg"
+  port     = 80
+  protocol = "HTTP"
+  vpc_id   = aws_vpc.three_tier_app_vpc.id
+
+   health_check {
+    path                = "/"
+    interval            = 30
+    timeout             = 10
+    healthy_threshold   = 5
+    unhealthy_threshold = 8
+  }
+}
+
+# amazonq-ignore-next-line
+# Listener to forward HTTP traffic from the ALB to the target group
+# amazonq-ignore-next-line
+resource "aws_lb_listener" "http" {
+  # amazonq-ignore-next-line
+  load_balancer_arn = aws_lb.web_alb.arn
+  port              = 80
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.web_target_group.arn
+  }
+}

ec2.tf

@@ -0,0 +1,165 @@
+# Description: This file defines the EC2 instances for the web
+# and app tiers using Auto Scaling Groups for high availability.
+# -------------------------------------------------------------
+
+### Data source ###
+data "aws_ami" "amazon_linux_2" {
+  most_recent = true
+  owners      = ["amazon"]
+
+  filter {
+    name   = "owner-alias"
+    values = ["amazon"]
+  }
+
+  filter {
+    name   = "name"
+    values = ["amzn2-ami-hvm*"]
+  }
+}
+
+resource "aws_key_pair" "terraform_key" {
+  key_name   = "ec2-new-key"
+  public_key = tls_private_key.rsa.public_key_openssh
+}
+
+resource "tls_private_key" "rsa" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "aws_secretsmanager_secret" "ec2_private_key" {
+  name        = "ec2-private-key"
+  description = "EC2 private key for SSH access"
+}
+
+resource "aws_secretsmanager_secret_version" "ec2_private_key_version" {
+  secret_id     = aws_secretsmanager_secret.ec2_private_key.id
+  secret_string = tls_private_key.rsa.private_key_pem
+}
+
+### User Data Script for Web Server ###
+data "template_file" "web_user_data" {
+  template = file("${path.module}/user_data/web_user_data.sh")
+}
+
+### User Data Script for App Server ###
+data "template_file" "app_user_data" {
+  template = file("${path.module}/user_data/app_user_data.sh")
+}
+
+### Launch Template for Web Tier ###
+resource "aws_launch_template" "web_tier_template" {
+  name_prefix     = "web-tier-"
+  image_id        = data.aws_ami.amazon_linux_2.id
+  instance_type   = "t2.micro"
+  key_name        = aws_key_pair.terraform_key.key_name
+  user_data       = base64encode(data.template_file.web_user_data.rendered)
+
+  block_device_mappings {
+    device_name = "/dev/xvda"
+    ebs {
+      volume_size = 8
+      encrypted   = true
+    }
+  }
+
+  iam_instance_profile {
+    name = aws_iam_instance_profile.web_profile.name
+  }
+
+  vpc_security_group_ids = [aws_security_group.webserver_security_group.id]
+
+  tag_specifications {
+    resource_type = "instance"
+    tags = {
+      Name = "Web-Tier-Instance"
+    }
+  }
+}
+
+### Launch Template for App Tier ###
+resource "aws_launch_template" "app_tier_template" {
+  name_prefix     = "app-tier-"
+  image_id        = data.aws_ami.amazon_linux_2.id
+  instance_type   = "t2.micro"
+  key_name        = aws_key_pair.terraform_key.key_name
+  user_data       = base64encode(data.template_file.app_user_data.rendered)
+
+  block_device_mappings {
+    device_name = "/dev/xvda"
+    ebs {
+      volume_size = 8
+      encrypted   = true
+    }
+  }
+
+  iam_instance_profile {
+    name = aws_iam_instance_profile.app_profile.name
+  }
+
+  vpc_security_group_ids = [aws_security_group.appserver_security_group.id]
+
+  tag_specifications {
+    resource_type = "instance"
+    tags = {
+      Name = "App-Tier-Instance"
+    }
+  }
+}
+
+### Auto Scaling Group for Web Tier ###
+resource "aws_autoscaling_group" "web_asg" {
+  name                      = "web-tier-asg"
+  vpc_zone_identifier       = [aws_subnet.public-web-subnet-1.id, aws_subnet.public-web-subnet-2.id]
+  desired_capacity          = 2
+  max_size                  = 2
+  min_size                  = 2
+  health_check_type         = "ELB"
+  health_check_grace_period = 300
+  target_group_arns         = [aws_lb_target_group.web_target_group.arn]
+
+  launch_template {
+    id      = aws_launch_template.web_tier_template.id
+    version = "$Latest"
+  }
+
+  tag {
+    key                 = "Name"
+    value               = "Web-Tier-ASG-Instance"
+    propagate_at_launch = true
+  }
+}
+
+### Auto Scaling Group for App Tier ###
+resource "aws_autoscaling_group" "app_asg" {
+  name                      = "app-tier-asg"
+  vpc_zone_identifier       = [aws_subnet.private-app-subnet-1.id, aws_subnet.private-app-subnet-2.id]
+  desired_capacity          = 2
+  max_size                  = 2
+  min_size                  = 2
+  health_check_type         = "EC2"
+  health_check_grace_period = 300
+
+  launch_template {
+    id      = aws_launch_template.app_tier_template.id
+    version = "$Latest"
+  }
+
+  tag {
+    key                 = "Name"
+    value               = "App-Tier-ASG-Instance"
+    propagate_at_launch = true
+  }
+}
+
+# Instance profiles to attach the IAM roles to the EC2 instances
+resource "aws_iam_instance_profile" "web_profile" {
+  name = "web-tier-profile"
+  role = aws_iam_role.web_tier_role.name
+}
+
+resource "aws_iam_instance_profile" "app_profile" {
+  name = "app-tier-profile"
+  role = aws_iam_role.app_tier_role.name
+}