Automate security deployment and integration of AWS infrastructure with open source tools

Tram Ho


This article introduces how to deploy infrastructure on AWS automatically with Terraform and integrate several security approaches to your system.

You can refer to the repository here

Model deployment

Infrastructure architecture

In this topic we implement a multi-layer web model and install WordPress to test services.
* Network layer : VPC, Internet Gateway, Security Groups rules,…
* Database layer : Amazon RDS Mysql or Amazon Aurora MySql, AWS Secrets Manager, AWS Backup,…
* Application layer : EC2, EFS, AutoScaling Group, Application Load Balancer, ElastiCache Memcached, S3, Cloudfront,…

Note : Chúng tôi không sử dụng Private subnet để tối ưu một phần chi phí, thay vào đó cấu hình các Security groups's rules để kiểm soát traffic đến các tài nguyên

Deploy on Git

With source code management on Github or Gitlab or Bitbucket,… , we need CI/CD tools, automatic error checking so that the code integration and deployment process ensures code commits between contributors without conflict. together.

Note: The default values ​​for resources are in the file /main/



Checkov is a tool that automatically checks configurations of IaC files before they are deployed, it scans IaC files for nonconformities related to security or standards compliance. Checkov supports IaaC file types like Terraform, CloudFormation, Docker, Kubernetes,… . Checkov’s policy can be predefined or custom.
In this system, Checkov is set up as follows:


Checkov will check if the generated resources meet the security requirements, it will also give recommendations for developers to do:


Cost Estimate

Along with deploying resources, managing deployment and operating costs is also an issue that needs to be controlled. Automated cost estimation with resources generated by Terraform using right on Pull request, this makes it easy for the team to analyze costs before making changes.



Atlantis is an open source tool integrated with Terraform that allows to run terraform plan and terraform apply commands directly from a Pull request. By commenting on the Pull request, a trigger will be sent to the http endpoint of Atlantis, and after executing the plan or applying it will return the Output result right on the comment of the Pull request. From there we can review the code in Terraform before merging into the Master branch.

Note : Vì lý do bảo mật nên trong repository này sẽ không có Atlantis.

Without Atlantis, our workflow might look like this:

Workflow with Atlantis integration:

As soon as a change is made, the generated Pull request will send a trigger to Atlantis to run the plan, or comment atlantis plan :

After the code review is OK and the Pull request is approved, comment atlantis apply to send a trigger to Atlantis and apply to the system:

Atlantis is very effective when working in teams, by managing the source code on Git, Pull requests created by team members will be reviewed or planned by the team leader to decide whether to merge or not right on that Pull request. To deploy an Atlantis server with Git, please refer here

The workflow for Atlantis in this system is defined as follows:



Make infrastructure more secure

Security Groups

Traffic to resources is controlled by rules in security groups. For EC2, only traffic coming from the Application Load Balancer is allowed and for Database, only traffic coming from EC2.

Create security group for EC2 (/modules/networking/

Create security group for database (/modules/networking/

AWS Secrets Manager

AWS Secrets Manager helps you to store and secure credentials accessing applications or services. Users and applications access the credentials with a call to the Secrets Manager API. It also has the ability to automatically or integrate with Lambda to rotate credentials periodically, making resources more secure when using sensitive credentials.
In this system, we use AWS Secrets Manager to store the Database’s login information, and then every 30 days the Database’s password will be changed through Lambda.

Save Database credentials in AWS Secrets Manager (/modules/database/

Automatically rotate passwords (/modules/database/

Password rotate cycle (/main/

Local Deployment

Similar to Git deployment but without workflow, suitable for self-managing source code.


To deploy an infrastructure on AWS with Terraform, you need to install the AWS CLI and Terraform.

  • How to install AWS CLI, you can refer here
  • How to install Terraform, please refer here


Implementation steps

  • Download the source code on Github
  • Open Terminal and cd to the downloaded folder cd ./main
  • Configure new infrastructure with terraform init , this step is required so that resources from provider will be downloaded when we write in file
  • Check before applying : terraform plan
  • Apply configuration : terraform apply -auto-approve
  • To destroy infrastructure, use terraform destroy -auto-approve

Check the result

  • After applying, Outputs will output the corresponding dns. Access to wordpress webserver with dns = lb_dns_name
  • To login to the Admin site, add /wp-admin after the website’s path
  • To use CDN and Memcached, in the Plugins section, activate W3 Total Cache Enable Memcached and CDN in General Settings of W3 Total Cache
  • Check Database Cache with Memcached
  • Test CDN with Cloudfront

The default values ​​are located in the file /main/ . You can change these values ​​depending on the purpose of use.


Share the news now

Source : Viblo