Repository files navigation

This repository contains Terragrunt configurations for managing AWS infrastructure across multiple environments (dev and prod).

The infrastructure includes:

• VPC: Multi-AZ VPC with public and private subnets
• EKS Cluster: Kubernetes 1.28 with ARM64 (Graviton) node groups
• Bastion Host: Secure SSH access point with SSM support
• S3 Buckets: Separate buckets for static content and user uploads
• CloudFront: CDN distribution for static content delivery
• Route53: DNS management with custom records

terragrunt/├── terragrunt.hcl              # Root configuration with S3 backend├── modules/                    # Reusable Terraform modules│   ├── vpc/│   ├── eks/│   ├── bastion/│   ├── s3/│   ├── cloudfront/│   └── route53/├── dev/                        # Development environment│   ├── terragrunt.hcl│   ├── vpc/│   ├── eks/│   ├── bastion/│   ├── s3/│   ├── cloudfront/│   └── route53/└── prod/                       # Production environment    ├── terragrunt.hcl    ├── vpc/    ├── eks/    ├── bastion/    ├── s3/    ├── cloudfront/    └── route53/

1. AWS CLI: Configure with appropriate credentials

   aws configure

2. Terraform: Version >= 1.5

   terraform version

3. Terragrunt: Latest version

   terragrunt --version

4. Environment Variables: Set your AWS account ID

   export AWS_ACCOUNT_ID="123456789012"

Editterragrunt.hcl to set:

• AWS region
• Account ID
• Backend bucket name

For each environment (dev/prod):

1. VPC CIDR: Updatevpc_cidr in{env}/vpc/terragrunt.hcl
2. Domain Names: Update domain names in{env}/route53/terragrunt.hcl
3. SSH Access: Add your SSH public key in{env}/bastion/terragrunt.hcl
4. IP Restrictions: Configureallowed_cidr_blocks for bastion access

First deployment creates the S3 bucket and DynamoDB table automatically:

cd dev/vpcterragrunt init

Deploy all resources in dependency order:

# Deploy VPC firstcd dev/vpcterragrunt apply# Deploy EKS clustercd ../eksterragrunt apply# Deploy remaining resourcescd ../bastion&& terragrunt applycd ../s3&& terragrunt applycd ../cloudfront&& terragrunt applycd ../route53&& terragrunt apply

Userun-all to deploy everything:

cd devterragrunt run-all apply

• Creates VPC with configurable CIDR
• 3 public and 3 private subnets across AZs
• NAT gateways (single for dev, multi-AZ for prod)
• Internet gateway and route tables
• Tagged for EKS integration

• Kubernetes version 1.28
• ARM64 (Graviton) node groups
• OIDC provider for IRSA
• Essential add-ons (VPC CNI, CoreDNS, kube-proxy)
• CloudWatch logging
• Environment-specific scaling

Dev Configuration:

• SPOT instances
• 2 min, 3 max nodes
• t4g.medium instances

Prod Configuration:

• ON_DEMAND instances
• 3 min, 10 max nodes
• t4g.large/xlarge instances
• Private API endpoint

• ARM-based Amazon Linux 2
• Elastic IP for consistent access
• SSM Session Manager support
• Security group with SSH access
• Optional SSH key authentication

Access via SSM:

aws ssm start-session --target<instance-id>

Access via SSH:

ssh -i~/.ssh/id_rsa ec2-user@<bastion-ip>

Two buckets created:

1. Static Content Bucket

   • Server-side encryption
   • CORS configuration
   • CloudFront OAI access
   • Public access blocked

2. User Content Bucket

   • Versioning (prod only)
   • Lifecycle rules (prod only)
   • Multipart upload cleanup
   • Glacier archival after 180 days

• HTTPS-only distribution
• Custom caching behaviors
• CORS support
• Custom error pages
• Optional custom domains
• Geo-restriction support

Cache Behaviors:

• Default: 1 hour TTL
• Static assets: 1 day TTL
• Images: 1 day TTL

• Hosted zone management
• CloudFront A/AAAA records
• Bastion host record
• Custom DNS records
• Domain verification TXT records
• CAA records for SSL

Update kubeconfig:

aws eks update-kubeconfig --name dev-eks-cluster --region us-west-2kubectl get nodes

• Single NAT gateway
• SPOT instances for EKS nodes
• Smaller instance types
• Reduced log retention (7 days)
• Versioning disabled
• Lifecycle rules disabled

• Multi-AZ NAT gateways for HA
• ON_DEMAND instances
• Larger instance types
• Extended log retention (30 days)
• Versioning enabled
• Lifecycle rules enabled

cd dev/vpcterragrunt init -upgradeterragrunt apply

Editkubernetes_version in{env}/eks/terragrunt.hcl and apply:

cd dev/eksterragrunt apply

Destroy in reverse dependency order:

cd devterragrunt run-all destroy

1. Bastion Access: Restrictallowed_cidr_blocks to known IPs
2. SSH Keys: Use SSH keys instead of passwords
3. EKS API: Use private endpoint for production
4. S3 Encryption: Server-side encryption enabled by default
5. CloudFront: HTTPS-only with modern TLS versions
6. IAM Roles: Use IRSA for pod-level permissions
7. VPC: Private subnets for EKS nodes

If S3 bucket exists:

terragrunt init -reconfigure

Ensure dependencies are deployed first:

terragrunt graph-dependencies

Release DynamoDB lock:

terragrunt force-unlock<lock-id>

Check node status:

kubectl get nodeskubectl describe node<node-name>

• Single NAT gateway
• SPOT instances
• Smaller resources
• Public EKS endpoint
• Minimal log retention

• Multi-AZ NAT gateways
• ON_DEMAND instances
• Larger resources
• Private EKS endpoint
• Extended log retention
• Versioning enabled

• Terragrunt Documentation
• AWS EKS Best Practices
• Terraform AWS Provider

For issues or questions:

1. Check Terragrunt logs:terragrunt apply --terragrunt-log-level debug
2. Review AWS CloudWatch logs
3. Consult AWS documentation

This infrastructure code is provided as-is for reference and customization.