A production-grade multi-tier AWS infrastructure automation platform built using Terraform, featuring automated deployments, Auto Scaling, monitoring, observability, CloudWatch dashboards, SNS alerts, and event-driven frontend deployment workflows.
This project supports both DEV and PROD environments with isolated Terraform state management, reusable modular architecture, and production-style infrastructure automation.
This repository contains a production-grade Infrastructure as Code (IaC) solution built with Terraform that automates deployment and management of a scalable AWS multi-tier architecture.
The infrastructure is fully modular, environment-aware (DEV/PROD), and designed to handle real-world production workloads with:
- Automated deployment pipelines
- Auto Scaling & self-healing infrastructure
- Centralized monitoring & observability
- CloudWatch dashboards & alarms
- SNS notifications
- Secure private subnet deployment
- Event-driven frontend deployment using S3 + Lambda + SSM
environments/
βββ dev/
β βββ backend.tfvars
β βββ terraform.tfvars
β
βββ prod/
βββ backend.tfvars
βββ terraform.tfvars
- β Multi-Environment Architecture (DEV & PROD)
- β Fully Automated Deployment Workflow
- β Production-Grade Monitoring Stack
- β Infrastructure as Code using Terraform
- β Modular AWS Infrastructure
- β Auto Scaling & High Availability
- β Real-Time CloudWatch Observability
- β Secure & Scalable Design
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β USER TRAFFIC β
ββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AWS CloudFront / Route 53 (Optional) β
ββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Application Load Balancer (ALB) β
β β’ Multi-AZ Traffic Distribution β
β β’ Health Checks Enabled β
β β’ HTTPS / SSL Termination β
ββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Private Subnets (Multiple AZs) β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β EC2 Auto Scaling Group β β
β β β β
β β β’ Min Capacity: 2 β β
β β β’ Max Capacity: 4 β β
β β β’ Desired Capacity: 2 β β
β β β’ ELB Health Checks β β
β β β’ Launch Template + User Data β β
β β β’ Nginx Application Server β β
β β β’ Self-Healing Infrastructure β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
ββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ
β²
β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AWS Systems Manager (SSM) β
β Run Command + IAM Roles β
ββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ
β²
β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AWS Lambda β
β Triggered by S3 Upload Events β
ββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ
β²
β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Amazon S3 Bucket β
β Frontend Application Assets β
β (HTML, CSS, JS, Images, Static Files) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β π MONITORING & OBSERVABILITY LAYER β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββββ ββββββββββββββββββ ββββββββββββββββ β
β β CloudWatch β β CloudWatch β β SNS Alerts β β
β β Logs β β Dashboards β β Email / SMS β β
β β β β β β Notificationsβ β
β β β’ Nginx Logs β β β’ ALB Metrics β β β β
β β β’ Lambda Logs β β β’ EC2 Metrics β β β’ High CPU β β
β β β’ App Logs β β β’ Lambda Stats β β β’ Unhealthy β β
β β β’ Deploy Logs β β β’ Traffic Data β β Hosts β β
β ββββββββββββββββββ ββββββββββββββββββ ββββββββββββββββ β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Frontend Asset Upload
β
S3 Object
β
S3 Event Trigger
β
AWS Lambda Function
β
SSM Run Command
β
EC2 Instances (ASG)
β
File Sync & Nginx Restart
β
Live Application Updates
| Service | Purpose | Configuration |
|---|---|---|
| VPC | Network isolation and segmentation | Multi-AZ, Public/Private subnets |
| EC2 | Application servers | Auto Scaling Group with Launch Template |
| ALB | Load balancing and traffic distribution | Multi-AZ, Health checks enabled |
| Auto Scaling | Dynamic capacity management | Min: 2, Max: 4, Scale-based policies |
| S3 | Frontend asset storage | Versioning, Event notifications |
| Lambda | Automated deployment trigger | Event-driven, IAM execution role |
| Systems Manager | Infrastructure automation | Run Command for EC2 deployment |
| CloudWatch | Monitoring and observability | Custom metrics, dashboards, alarms |
| SNS | Alert notifications | Email/SMS subscriptions |
| IAM | Identity and access management | Service roles, instance profiles |
| Security Groups | Network access control | Inbound/Outbound rules per layer |
- π¦ Modular Terraform Design: Separate modules for each AWS service
- π Reusable Components: DRY principle - shared modules across environments
- π Version Controlled: Complete infrastructure history in Git
- π Validated: Terraform validate and plan before apply
- π Multi-AZ Deployment: Services distributed across availability zones
- π Auto Scaling: Automatic scaling based on demand
- πͺ Health Checks: Automatic instance replacement on failure
- β‘ Load Balancing: Efficient traffic distribution across instances
- π€ CI/CD Ready: Lambda-triggered deployment pipeline
- π¦ S3-Based Deployment: Upload and deploy frontend assets
- π Zero-Downtime: Rolling updates via Auto Scaling
- π Deployment Tracking: CloudWatch logs for audit trail
- π CloudWatch Dashboards: Real-time infrastructure metrics
- π Centralized Logging: Nginx and application logs in CloudWatch
- π¨ Intelligent Alerts: SNS notifications for critical metrics
- π Custom Metrics: Application-specific performance tracking
- π Private Subnet Deployment: EC2 instances not directly accessible
- π‘οΈ IAM Least Privilege: Granular permissions for each service
- π Security Groups: Network segmentation and access control
- π Audit Trails: CloudWatch Logs for compliance
modules/
βββ vpc/ # Virtual Private Cloud
β βββ main.tf
β βββ variables.tf
β βββ outputs.tf
βββ security/ # Security Groups & NACLs
β βββ main.tf
β βββ variables.tf
β βββ outputs.tf
βββ alb/ # Application Load Balancer
β βββ main.tf
β βββ variables.tf
β βββ outputs.tf
βββ ec2/ # EC2 & Auto Scaling
β βββ main.tf
β βββ variables.tf
β βββ outputs.tf
βββ iam/ # IAM Roles & Policies
β βββ main.tf
β βββ variables.tf
β βββ outputs.tf
βββ lambda/ # Lambda Function
β βββ main.tf
β βββ variables.tf
β βββ outputs.tf
β βββ function/
β βββ index.py # Python deployment handler
βββ s3/ # S3 Bucket
β βββ main.tf
β βββ variables.tf
β βββ outputs.tf
βββ cloudwatch/ # Monitoring & Logs
β βββ main.tf
β βββ variables.tf
β βββ outputs.tf
βββ sns/ # SNS Topic
β βββ main.tf
β βββ variables.tf
β βββ outputs.tf
βββ validate_destroy/ # Destruction validations
βββ main.tf
environments/
βββ dev/
β βββ backend.tfvars # DEV state backend
β βββ terraform.tfvars # DEV variables
βββ prod/
βββ backend.tfvars # PROD state backend
βββ terraform.tfvars # PROD variables
- main.tf: Module orchestration and composition
- providers.tf: AWS provider configuration
- backend.tf: Terraform state management
- variables.tf: Input variables definition
- outputs.tf: Infrastructure outputs
- versions.tf: Terraform version constraints
- Frontend Upload: Developer uploads frontend assets to S3 bucket
- S3 Event Trigger: S3 sends event notification on object upload
- Lambda Invocation: Lambda function receives S3 event payload
- SSM Command: Lambda triggers Systems Manager Run Command
- EC2 Execution: Run Command executes on all instances in ASG
- File Sync: Script syncs files from S3 to EC2 instances
- Service Restart: Nginx restarts to serve updated content
- Health Check: ALB verifies instance health
- Live Update: Users receive updated content
# On EC2 Instance (via SSM Run Command)
βββ Download files from S3
βββ Verify checksum/integrity
βββ Backup previous version
βββ Deploy new files
βββ Validate permissions
βββ Run health checks
βββ Restart Nginx service- Min Capacity: 2 instances
- Max Capacity: 4 instances
- Desired Capacity: 2 instances
- Health Check Type: ELB
- Termination Policy: Oldest instance first
- Cooldown Period: 300 seconds
CPU Utilization > 70% β Scale Up (add instance)
CPU Utilization < 30% β Scale Down (remove instance)
- β Multi-AZ Distribution: Instances spread across 2+ availability zones
- β Load Balancing: ALB distributes traffic evenly
- β Health Monitoring: Automatic instance replacement
- β Connection Draining: Graceful shutdown during updates
- β DNS Failover: Route 53 integration ready
Automated dashboards display:
-
π EC2 Metrics
- CPU Utilization
- Network In/Out
- Disk Read/Write
- Status Checks
-
π Auto Scaling Metrics
- Group Size
- Desired Capacity
- Launch/Termination Events
- Scaling Activity
-
π ALB Metrics
- Target Count
- Request Count
- Target Response Time
- HTTP Status Codes
-
πΎ Application Metrics
- Memory Utilization
- Disk Usage
- Application Response Time
Configured alarms trigger SNS notifications for:
β οΈ High CPU utilization (> 80%)β οΈ High memory usage (> 85%)β οΈ ALB unhealthy targetsβ οΈ Failed deploymentsβ οΈ Auto Scaling failures
Alerts sent via:
- π§ Email notifications
- π± SMS alerts (optional)
- π Custom webhooks
All logs aggregated in CloudWatch Logs:
/aws/ec2/application # Application logs
/aws/ec2/nginx # Nginx access & error logs
/aws/lambda/deployment # Lambda function logs
/aws/autoscaling/asg # Auto Scaling events
- π CloudWatch Insights: Query logs with SQL-like syntax
- π Log Filtering: Create custom filters and metrics
- π Log Trending: Identify patterns over time
- π¨ Log Alarms: Alert on error patterns
Access Logs: /var/log/nginx/access.log
Error Logs: /var/log/nginx/error.log
Format: Combined with response time
Rotation: Daily, compressed
Retention: 7 days local, 30 days CloudWatch
aws-multitier-terraform-automation/
β
βββ README.md # Project documentation
βββ LICENSE # MIT License
βββ DESTROY_FIXES.md # Destruction troubleshooting
β
βββ root configuration files
βββ main.tf # Module orchestration
βββ providers.tf # AWS provider setup
βββ backend.tf # State management
βββ variables.tf # Input variables
βββ outputs.tf # Infrastructure outputs
βββ versions.tf # Version constraints
β
βββ modules/ # Reusable Terraform modules
β βββ vpc/ # VPC, Subnets, Route Tables, NAT Gateway
β βββ security/ # Security Groups, NACLs
β βββ alb/ # Application Load Balancer, Listeners
β βββ ec2/ # Launch Template, Auto Scaling Group
β βββ iam/ # IAM Roles, Policies, Instance Profile
β βββ lambda/ # Lambda Function, Permissions, S3 Trigger
β β βββ function/
β β βββ index.py # Python deployment handler
β βββ s3/ # S3 Bucket, Versioning, Events
β βββ cloudwatch/ # CloudWatch Logs, Dashboards, Alarms
β βββ sns/ # SNS Topic, Subscriptions
β βββ validate_destroy/ # Destruction validations
β
βββ environments/ # Environment-specific configurations
β βββ dev/
β β βββ backend.tfvars # DEV state backend
β β βββ terraform.tfvars # DEV variables
β βββ prod/
β βββ backend.tfvars # PROD state backend
β βββ terraform.tfvars # PROD variables
β
βββ scripts/ # Helper scripts
βββ userdata.sh # EC2 user data for Nginx setup
# Install Terraform
# https://www.terraform.io/downloads.html
# Verify installation
terraform version# Navigate to dev environment
cd environments/dev
# Initialize Terraform (downloads providers & modules)
terraform init
# Validate configuration syntax
terraform validate
# Preview changes
terraform plan -out=tfplan
# Apply changes (requires approval)
terraform apply tfplan
# Destroy infrastructure
terraform destroy -var-file=terraform.tfvars# Navigate to prod environment
cd environments/prod
# Initialize Terraform
terraform init
# Validate configuration
terraform validate
# Plan with production values
terraform plan -out=tfplan
# Apply production infrastructure
terraform apply tfplan
# View outputs
terraform output
# Destroy (use with caution!)
terraform destroy -var-file=terraform.tfvars# Format code
terraform fmt -recursive
# Validate all modules
terraform validate
# View current state
terraform state list
terraform state show aws_instance.example
# Import existing resources
terraform import aws_instance.example i-1234567890abcdef0
# Taint resources (force recreation)
terraform taint aws_instance.example
# Get resource details
terraform show
# Refresh state
terraform refresh
# Clean up .terraform directory
rm -rf .terraform# Backup state
cp terraform.tfstate terraform.tfstate.backup
# Remote state operations
terraform state pull > current.tfstate
terraform state push current.tfstate
# Remove resource from state
terraform state rm aws_instance.example# Build your frontend application
npm run build
# or
yarn build
# or for static HTML
# Ensure all assets are in a distribution folder# Using AWS CLI
aws s3 sync ./dist s3://your-bucket-name/frontend/ \
--delete \
--cache-control "max-age=31536000,public"
# Or upload individual files
aws s3 cp ./dist/index.html s3://your-bucket-name/frontend/ \
--cache-control "max-age=0,no-cache" \
--content-type "text/html"- S3 detects file upload
- Lambda function is invoked automatically
- Lambda executes SSM Run Command on EC2 instances
- Deployment script runs on all ASG instances
- Files are synced from S3
- Nginx restarts automatically
# Check ALB endpoint
curl http://your-alb-dns-name
# Check instance logs
aws logs tail /aws/ec2/nginx --follow
# View Lambda logs
aws logs tail /aws/lambda/deployment --follow
# Check Auto Scaling Group status
aws autoscaling describe-auto-scaling-groups \
--auto-scaling-group-names your-asg-name# If deployment fails, S3 versioning allows quick rollback
aws s3api get-object-version-id \
--bucket your-bucket-name \
--key frontend/index.html
# Restore previous version
aws s3api restore-object \
--bucket your-bucket-name \
--key frontend/index.html# Open AWS Console and navigate to:
# CloudWatch > Dashboards > your-project-dashboardDashboard Widgets:
- Infrastructure health overview
- EC2 performance metrics
- ALB traffic distribution
- Auto Scaling activity
- Lambda execution metrics
- Application error rates
# Using AWS CLI
aws logs tail /aws/ec2/nginx --follow
aws logs tail /aws/ec2/application --follow
aws logs tail /aws/lambda/deployment --follow
# Using AWS Console:
# CloudWatch > Log Groups > select log group# Example: Alert on high CPU
aws cloudwatch put-metric-alarm \
--alarm-name high-cpu-alarm \
--alarm-description "Alert when CPU > 80%" \
--metric-name CPUUtilization \
--namespace AWS/EC2 \
--statistic Average \
--period 300 \
--threshold 80 \
--comparison-operator GreaterThanThreshold# Monitor key metrics:
# 1. Response Time: p50, p95, p99 latency
# 2. Throughput: Requests per second
# 3. Error Rate: 4xx and 5xx responses
# 4. Resource Utilization: CPU, Memory, Disk
# 5. Scaling Events: ASG launch/termination- π‘οΈ VPC Isolation: Resources in private subnets
- π Security Groups: Ingress/Egress rules enforced
- π ALB: Single entry point with health checks
- π« NACLs: Network access control lists per subnet
- π€ IAM Roles: Service-specific permissions
- π Principle of Least Privilege: Minimal permissions granted
- π Instance Profile: EC2 to AWS service authentication
- π Lambda Execution Role: Specific permissions for deployment
- π Encryption at Rest: S3 and EBS encryption enabled
- π Encryption in Transit: TLS/HTTPS support
- π Audit Logging: CloudTrail integration ready
- π Backup & Recovery: Automated snapshots
- π CloudWatch Logs: Complete audit trail
- π¨ Security Alarms: Unauthorized access detection
- π Compliance Reports: IAM access analyzer
- π Vulnerability Scanning: Security group analysis
- β No public IP assignments for application servers
- β Bastion host ready (via SSM Session Manager)
- β Immutable infrastructure (launch templates)
- β Secure defaults for all security groups
- β Regular security group audits
- β Cross-account access prevented
By deploying this infrastructure, you'll understand:
- β Modular infrastructure design patterns
- β State management and remote backends
- β Variable interpolation and dynamic blocks
- β Output values and data sources
- β Terraform best practices
- β VPC design with public/private subnets
- β EC2 Auto Scaling and Launch Templates
- β Application Load Balancer configuration
- β Lambda event-driven architecture
- β IAM role design and policies
- β CloudWatch monitoring and alarms
- β S3 event notifications
- β Systems Manager Run Command
- β Infrastructure as Code principles
- β CI/CD pipeline design
- β Multi-environment management
- β Observability and monitoring
- β Automated deployment systems
- β High availability architecture
- β Scalability patterns
- β Blue-green deployment strategies
- β Graceful shutdowns and drain connections
- β Health check implementation
- β Centralized logging and log analysis
- β Alert fatigue management
- β Incident response automation
- β Cost optimization
| Category | Technology | Purpose |
|---|---|---|
| IaC | Terraform | Infrastructure provisioning |
| Cloud | AWS | Cloud infrastructure |
| Compute | EC2 | Application servers |
| Network | VPC, ALB | Networking layer |
| Automation | Lambda, SSM | Deployment automation |
| Storage | S3 | Frontend asset storage |
| Monitoring | CloudWatch | Observability |
| Alerting | SNS | Notifications |
| Security | IAM, Security Groups | Access control |
| Web Server | Nginx | Application server |
| OS | Linux (Amazon Linux 2) | EC2 operating system |
| Scripting | Bash | User data scripts |
| VCS | Git/GitHub | Version control |
| DevOps | Terraform, AWS, Docker-ready | CI/CD foundation |
- RDS database integration (MySQL/PostgreSQL)
- Elasticache (Redis/Memcached) for caching
- CloudFront CDN for edge content delivery
- AWS Secrets Manager for sensitive data
- VPN gateway for secure access
- Database replication across AZs
- CI/CD pipeline with GitHub Actions / GitLab CI
- Automated testing (unit, integration, smoke tests)
- Container support (ECR + ECS)
- Infrastructure scanning and compliance checks
- Cost optimization and budget alerts
- Automated infrastructure updates
- Multi-region deployment
- Disaster recovery (DR) strategy
- Backup and restore automation
- Terraform Cloud for state management
- OIDC authentication integration
- Service mesh (Istio/App Mesh)
- Prometheus + Grafana stack
- Distributed tracing (X-Ray)
- Application performance monitoring (APM)
- Error tracking (Sentry)
- Log aggregation (ELK stack)
- Real-time dashboards
Chaitanya Bhosale
- π GitHub: https://github.com/Chaitanya5068
- πΌ LinkedIn: https://www.linkedin.com/in/chaitanya-bhosale
This production-grade Terraform automation platform demonstrates industry best practices for AWS infrastructure management. It's designed to be:
- Educational: Learn enterprise DevOps patterns
- Scalable: Grow from DEV to PROD with ease
- Maintainable: Clean, modular code structure
- Reliable: High availability built-in
- Secure: Security best practices implemented
- π Documentation: Read DESTROY_FIXES.md for troubleshooting
- π Issues: Report bugs and request features
- π¬ Discussions: Share knowledge and experiences
- π References: Check AWS and Terraform documentation
This project is licensed under the MIT License - see LICENSE file for details.
Contributions are welcome! Please feel free to:
- Fork the repository
- Create a feature branch
- Commit your changes
- Push to the branch
- Create a Pull Request
- AWS Documentation and best practices
- Terraform community modules
- DevOps industry standards
- Cloud security frameworks
Built with β€οΈ for DevOps Engineers
β If this project helped you, please consider giving it a star! β