🚀 Terraform Day 22: Secure Two-Tier Architecture on AWS (EC2 + RDS)

Published: 1 month ago (December 28, 2025 at 06:39 AM EST)

2 min read

Source: Dev.to

Source: Dev.to

Cover image for 🚀 Terraform Day 22: Secure Two-Tier Architecture on AWS (EC2 + RDS)

🧱 Architecture Overview

The deployed architecture consists of:

🌐 Web Tier

EC2 instance in a public subnet
Accessible via public DNS
Runs a Flask application
Uses Security Groups to restrict inbound access

🗄️ Database Tier

MySQL RDS instance
Hosted in private subnets
No direct internet access
Accepts traffic only from web tier security group

🔐 Secrets Management

Database username & password generated dynamically
Stored securely in AWS Secrets Manager
Retrieved by EC2 during boot via user data

🧩 Terraform Module Design

This project is built using custom Terraform modules, a critical real‑world practice.

Modules used:

VPC module – VPC, public & private subnets, Internet Gateway, NAT Gateway, route tables
Security Group module – Web SG (HTTP access), DB SG (MySQL access only from web SG)
Secrets module – Random password generation, Secrets Manager storage
RDS module – MySQL instance, private subnet placement, credentials injected from Secrets Manager

The root module orchestrates everything by passing outputs between modules.

🔐 Secure Credential Handling (Critical)

One of the most important lessons in Day 22:

❌ No credentials in Terraform code
❌ No credentials in variables.tf
❌ No credentials in user‑data scripts
✅ Password generated using random_password
✅ Stored in AWS Secrets Manager
✅ Retrieved securely at runtime

This is mandatory in real production environments.

⚙️ Application Deployment with User Data

The EC2 instance uses user data to:

Install system dependencies
Install Python and Flask
Fetch database credentials from Secrets Manager
Configure environment variables
Start the Flask application automatically

Result: Infrastructure and application deploy together — fully automated.

🔄 Terraform Workflow Used

Standard, production‑safe workflow:

terraform init
terraform plan
terraform apply

Notes:

RDS provisioning takes time — expected behavior
Outputs expose the application endpoint safely
Infrastructure must be destroyed after testing to avoid costs

Related posts

Terraform Type Constraints: Best Practices for Enterprise-Scale AWS

Terraform's type constraints help write IaC that is reliable, reusable, and easily maintained when building out AWS-based infrastructures. Ensuring your AWS var...

From ClickOps to DevOps: My First Infrastructure as Code Project with Terraform

Introduction The Architecture - VPC: A custom Virtual Private Cloud. - Subnet: A public subnet for the instance. - Internet Gateway IGW: To allow internet acce...

Launch an AWS EC2 Instance

Introduction This guide walks you through launching an AWS EC2 instance, installing Docker, and running NGINX inside a Docker container. By the end you will ha...

AWS VPC

What is AWS VPC? An AWS Virtual Private Cloud VPC is a logically isolated network inside AWS where you can launch resources such as: - EC2 instances - Database...