I just spent this weekend setting this up to learn a bit of AWS for a toy project. I thought I would "just" quickly drop a Rust API server image in an ECS cluster.
By the end of the weekend, I had the architecture you describe.
- Route53 alias A record -> ALB DNS name
- LetsEncrypt cert in IAM
- ALB listener doing SSL termination using the cert -> forwarding to target group
- ALB listener doing 80->443 redirect
- Security group on ALB listener allowing only approved IP ranges in (not ready for this thing to be public yet)
- Security group on ECS service only allowing ALB to connect
- ECS cluster using Fargate
- RDS instance only allowing ECS service to connect
- CloudWatch log group for the container logs
- Subnets
- Secrets Manager for pulling Docker images from private GitHub Packages repo
Did it all in Terraform, and then added GitHub Actions to the Terraform repository to do terraform validate on PR and terraform plan && terraform apply -auto-approve on merge.
Then, yesterday, hooked up GitHub Actions on the Rust API server repository build a version tagged image and publish it to GitHub packages, create a PR in the Terraform repository to update the ECS task definition for the new image, and if it passes the PR checks, automatically merge it (which triggers the Terraform plan/apply run).
It did seem complex the first time I did it, but looking back over both the AWS and GitHub Actions configuration, I wouldn't change too much. I feel fairly confident this is secure, and I understand most of the configuration options and why they are there. Something that "simplified" it for me would just become a straightjacket as I get more proficient with AWS.
IaC 101 I guess, but I was chuffed when the Rube Goldberg machine whirred away after making a code commit to the Rust repo, and two minutes later my new code was running on ECS :)
Considering writing up a blog post about it just to firm up my own understanding as well...
What you're describing is what I sold the company on last year (save Letsencrypt, that's weird but whatever).
We only use terraform for the initial burn in (VPC, 2x public/2x private subnets, empty lb, bastion, and some subnet groups) but the rest is one to one.
Fargate isn't the cheapest platform out there but it's great for "I don't have any ops people" or "I have a fraction of several ops people not dedicated to my product." It takes a lot of patching and maintenance out of the equation.
If you want to give yourself a huge resume item, hook AWS WAF into the load balancer and play with it (you can alternatively hook it into Cloudfront if you elect to implement that in front of your LB, though then you have to make sure you protect what Cloudfront is talking to).
Easy task would be to geoip limit your application to the US, Canada, and Mexico. You can verify this by running your site through uptrends and looking at what cities get 403ed https://www.uptrends.com/tools/uptime
By the end of the weekend, I had the architecture you describe.
- Route53 alias A record -> ALB DNS name
- LetsEncrypt cert in IAM
- ALB listener doing SSL termination using the cert -> forwarding to target group
- ALB listener doing 80->443 redirect
- Security group on ALB listener allowing only approved IP ranges in (not ready for this thing to be public yet)
- Security group on ECS service only allowing ALB to connect
- ECS cluster using Fargate
- RDS instance only allowing ECS service to connect
- CloudWatch log group for the container logs
- Subnets
- Secrets Manager for pulling Docker images from private GitHub Packages repo
Did it all in Terraform, and then added GitHub Actions to the Terraform repository to do terraform validate on PR and terraform plan && terraform apply -auto-approve on merge.
Then, yesterday, hooked up GitHub Actions on the Rust API server repository build a version tagged image and publish it to GitHub packages, create a PR in the Terraform repository to update the ECS task definition for the new image, and if it passes the PR checks, automatically merge it (which triggers the Terraform plan/apply run).
It did seem complex the first time I did it, but looking back over both the AWS and GitHub Actions configuration, I wouldn't change too much. I feel fairly confident this is secure, and I understand most of the configuration options and why they are there. Something that "simplified" it for me would just become a straightjacket as I get more proficient with AWS.
IaC 101 I guess, but I was chuffed when the Rube Goldberg machine whirred away after making a code commit to the Rust repo, and two minutes later my new code was running on ECS :)
Considering writing up a blog post about it just to firm up my own understanding as well...