🚀 Terraform Day 22: Secure Two-Tier Architecture on AWS (EC2 + RDS)

Published: 23 hours ago (December 28, 2025 at 06:39 AM EST)

2 min read

Source: Dev.to

Source: Dev.to

Cover image for 🚀 Terraform Day 22: Secure Two-Tier Architecture on AWS (EC2 + RDS)

🧱 Architecture Overview

The deployed architecture consists of:

🌐 Web Tier

EC2 instance in a public subnet
Accessible via public DNS
Runs a Flask application
Uses Security Groups to restrict inbound access

🗄️ Database Tier

MySQL RDS instance
Hosted in private subnets
No direct internet access
Accepts traffic only from web tier security group

🔐 Secrets Management

Database username & password generated dynamically
Stored securely in AWS Secrets Manager
Retrieved by EC2 during boot via user data

🧩 Terraform Module Design

This project is built using custom Terraform modules, a critical real‑world practice.

Modules used:

VPC module – VPC, public & private subnets, Internet Gateway, NAT Gateway, route tables
Security Group module – Web SG (HTTP access), DB SG (MySQL access only from web SG)
Secrets module – Random password generation, Secrets Manager storage
RDS module – MySQL instance, private subnet placement, credentials injected from Secrets Manager

The root module orchestrates everything by passing outputs between modules.

🔐 Secure Credential Handling (Critical)

One of the most important lessons in Day 22:

❌ No credentials in Terraform code
❌ No credentials in variables.tf
❌ No credentials in user‑data scripts
✅ Password generated using random_password
✅ Stored in AWS Secrets Manager
✅ Retrieved securely at runtime

This is mandatory in real production environments.

⚙️ Application Deployment with User Data

The EC2 instance uses user data to:

Install system dependencies
Install Python and Flask
Fetch database credentials from Secrets Manager
Configure environment variables
Start the Flask application automatically

Result: Infrastructure and application deploy together — fully automated.

🔄 Terraform Workflow Used

Standard, production‑safe workflow:

terraform init
terraform plan
terraform apply

Notes:

RDS provisioning takes time — expected behavior
Outputs expose the application endpoint safely
Infrastructure must be destroyed after testing to avoid costs

Related posts

From ClickOps to DevOps: My First Infrastructure as Code Project with Terraform

Introduction The Architecture - VPC: A custom Virtual Private Cloud. - Subnet: A public subnet for the instance. - Internet Gateway IGW: To allow internet acce...

🛡️ AWS 109: The Ultimate Safety Net - Enabling EC2 Termination Protection

markdown !Cover image for 🛡️ AWS 109: The Ultimate Safety Net - Enabling EC2 Termination Protectionhttps://media2.dev.to/dynamic/image/width=1000,height=420,fi...

# Defending the Cloud-Native Frontier: Security as Code with Terraform & OPA

Overview 🚀 I just delivered a talk on “Security as Code: Enforcing AWS Security from Day One” to a group of 35+ cloud professionals. In today’s fast‑moving cl...

Terraform with AWS- Day1: Why Terraform Matters & How It Really Works

What Is Infrastructure as Code IaC? Infrastructure as Code IaC means you write code to create and manage your cloud infrastructure. It lets you use code instea...