A production-grade Infrastructure-as-Code (IaC) project implementing a comprehensive DevSecOps infrastructure on AWS. This repository contains Terraform configurations for deploying containerized Laravel applications with complete monitoring, logging, and security controls.
- Overview
- Quick Start
- Key Features
- Architecture
- Project Structure
- Prerequisites
- Deployment
- Documentation
- Monitoring & Logging
- Security
- Troubleshooting
- Roadmap
- Contributing
GoCyc DevSecOps is a complete infrastructure platform for deploying containerized applications on AWS using Terraform. It includes:
- Container Orchestration: Amazon ECS with EC2 launch type
- Database Management: Secure MariaDB RDS instance
- Observability Stack: Prometheus, Grafana, and Loki for metrics and logs
- Security: IAM roles, encrypted secrets, private networks
- Infrastructure-as-Code: Fully reproducible Terraform configurations
- Multi-Environment Support: Separate dev and production configurations
| Component | Technology | Version |
|---|---|---|
| IaC | Terraform | v1.0+ |
| Container Registry | AWS ECR | - |
| Container Orchestration | AWS ECS | EC2 Launch Type |
| Database | MariaDB | 11.4 |
| Metrics | Prometheus | Latest |
| Visualization | Grafana | Latest |
| Logs | Loki | Latest |
| Cloud Provider | AWS | eu-west-3 |
# Verify installations
terraform version # v1.0+
aws --version # v2.x+
git --versionFor detailed prerequisites, see Prerequisites Section
aws configure
# Enter your AWS Access Key ID, Secret Access Key, and set region to eu-west-3./deploy_bootstrap.sh
# Creates: S3 backend, ECR repositories, IAM roles
# Duration: 3-5 minutes./deploy_infra.sh
# Creates: VPC, ECS, RDS, Monitoring stack
# Duration: 15-20 minutes# Get Grafana IP
aws ec2 describe-instances --region eu-west-3 --query 'Reservations[0].Instances[0].PublicIpAddress'
# Open browser: http://<monitoring-ip>For step-by-step deployment guide, see TECHNICAL.md β Deployment Guide
- Multi-layer Networking: Public, private, and isolated subnets across 2 availability zones
- High Availability: Distributed across multiple AZs for fault tolerance
- Secure Connectivity: NAT gateways for private outbound access
- Flexible Scaling: Ready for auto-scaling group configuration
- ECR Registries: Separate repositories for API and Admin services
- Image Scanning: Automatic scanning on push for vulnerabilities
- Task Definitions: Pre-configured for Laravel applications
- Port Mapping: Container 8080 β Host 80 (bridge networking)
- Managed RDS: MariaDB 11.4 with automatic maintenance
- Encryption: Storage encryption enabled with AWS KMS
- Isolation: Database in private, isolated subnets
- Backup: Automated snapshots for disaster recovery
- Metrics: Prometheus scrapes container and system metrics
- Visualization: Pre-configured Grafana dashboards
- Logs: Loki aggregates logs from all containers
- cAdvisor: Container runtime metrics collection
- Secrets Management: AWS Systems Manager Parameter Store for credentials
- IAM Roles: Principle of least privilege for all services
- Encryption: In-transit (TLS) and at-rest (KMS)
- Network Isolation: Security groups implement defense in depth
- Remote State: Terraform state stored in encrypted S3
- Versioning: State history for rollback capability
- Locking: DynamoDB-based state locking for team collaboration
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AWS Cloud β
β ββββββββββββββββββββββββββββββββββββββββββββββββ β
β β VPC (10.0.0.0/16) β β
β β β β
β β Public: EC2 Monitoring β β
β β Private: ECS Container Tasks β β
β β Isolated: MariaDB RDS β β
β β β β
β β ββββββββββββββββββββββββββββββββββββββββ β β
β β β ECS Cluster β β β
β β β ββ Service API (Laravel) β β β
β β β ββ Service Admin (Laravel) β β β
β β ββββββββββββββββββββββββββββββββββββββββ β β
β β β β
β β ββββββββββββββββββββββββββββββββββββββββ β β
β β β Monitoring Stack (EC2) β β β
β β β ββ Prometheus (metrics) β β β
β β β ββ Grafana (dashboards) β β β
β β β ββ Loki (logs) β β β
β β ββββββββββββββββββββββββββββββββββββββββ β β
β β β β
β β ββββββββββββββββββββββββββββββββββββββββ β β
β β β MariaDB RDS Instance β β β
β β ββββββββββββββββββββββββββββββββββββββββ β β
β ββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββ β
β β S3 Backend (Terraform State) β β
β ββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
For detailed architecture diagrams, see TECHNICAL.md β Architecture
projet_final-devsecops/
βββ README.md # This file
βββ TECHNICAL.md # Comprehensive technical documentation
βββ deploy_bootstrap.sh # Bootstrap phase deployment script
βββ deploy_infra.sh # Main infrastructure deployment script
β
βββ bootstrap/ # Phase 1: State backend & core resources
β βββ main.tf # S3 backend, ECR, IAM roles
β βββ variables.tf # Input variables
β βββ outputs.tf # Output values
β βββ env/
β β βββ dev/terraform.tfvars
β β βββ prd/terraform.tfvars
β βββ modules/
β βββ S3/ # S3 bucket for state
β βββ ECR/ # ECR repositories
β
βββ terraform/ # Phase 2: Main infrastructure
βββ main.tf # Main configuration & modules
βββ variables.tf # Input variables
βββ outputs.tf # Output values
βββ env/
β βββ dev/
β β βββ backend.tfbackend
β β βββ terraform.tfvars
β βββ prd/
β βββ backend.tfbackend
β βββ terraform.tfvars
βββ modules/
βββ network/ # VPC, subnets, routing
βββ IAM/ # Roles, policies, profiles
βββ EC2/ # Monitoring instance
βββ ECS/ # Cluster, task definitions
βββ RDS/ # MariaDB database
βββ monitoring/ # Prometheus, Grafana, Loki
For complete directory structure, see TECHNICAL.md β Directory Structure
- Terraform: v1.0 or higher (Install)
- AWS CLI: v2.x (Install)
- Git: For version control
- Bash: Shell interpreter
- Create AWS account or use existing one
- Generate Access Key and Secret Key
- Configure AWS CLI:
aws configure # Region: eu-west-3 # Output: json
- EC2, VPC, Subnets, Security Groups
- RDS (MariaDB)
- ECS, ECR
- IAM (Roles, Policies, Instance Profiles)
- S3, KMS, Systems Manager
- CloudWatch Logs
For detailed prerequisites, see TECHNICAL.md β Prerequisites
# Step 1: Bootstrap
./deploy_bootstrap.sh
# Step 2: Main Infrastructure
./deploy_infra.sh# Bootstrap Phase
cd bootstrap
terraform fmt
terraform init
terraform apply -var-file=env/dev/terraform.tfvars -auto-approve
# Main Infrastructure Phase
cd ../terraform
terraform fmt
terraform init -backend-config=env/dev/backend.tfbackend
terraform apply -var-file=env/dev/terraform.tfvars -auto-approve# Check ECS cluster
aws ecs list-clusters --region eu-west-3
# Check RDS instance
aws rds describe-db-instances --region eu-west-3
# Check EC2 instances
aws ec2 describe-instances --region eu-west-3For detailed deployment steps, see TECHNICAL.md β Deployment Guide
This repository includes comprehensive documentation:
| Document | Purpose | Link |
|---|---|---|
| TECHNICAL.md | Complete technical reference | View |
| Architecture | System design & diagrams | View |
| Modules | Detailed module documentation | View |
| Deployment | Step-by-step deployment guide | View |
| Troubleshooting | Common issues & solutions | View |
| Commands Reference | Useful Terraform & AWS CLI commands | View |
- ποΈ Infrastructure Components: TECHNICAL.md β Infrastructure Components
- π§ Modules Deep Dive: TECHNICAL.md β Modules
- π Security: TECHNICAL.md β Security Considerations
- π Networking: TECHNICAL.md β Networking
- π Monitoring: TECHNICAL.md β Monitoring & Logging
# Get monitoring instance public IP
aws ec2 describe-instances \
--region eu-west-3 \
--filters "Name=tag:Name,Values=*monitoring*" \
--query 'Reservations[0].Instances[0].PublicIpAddress'
# Open in browser: http://<instance-ip>- Container Metrics: CPU, Memory, Network I/O
- System Metrics: Node CPU, Memory, Disk
- Application Logs: All container logs via Loki
- Prometheus UI:
http://<instance-ip>:9090 - Loki API:
http://<instance-ip>:3100
For monitoring details, see TECHNICAL.md β Monitoring & Logging
β Secrets Management: AWS Systems Manager Parameter Store β Encryption: KMS encryption for RDS and secrets β Network Isolation: Private subnets for ECS and RDS β IAM Policies: Least privilege principle implemented β Image Scanning: ECR scan on push enabled β State Locking: DynamoDB-based Terraform state locking β Audit Trail: S3 versioning for state history
- Never commit secrets to version control
- Use IAM roles instead of access keys
- Enable MFA for AWS account access
- Rotate credentials regularly
- Monitor CloudTrail for API access
- Review Security Groups regularly
For security details, see TECHNICAL.md β Security Considerations
| Issue | Solution | Details |
|---|---|---|
| Terraform init fails | Check S3 bucket exists | TECHNICAL.md |
| ECS task fails to start | Check CloudWatch Logs | TECHNICAL.md |
| Can't access RDS | Check security groups | TECHNICAL.md |
| Grafana not accessible | Check monitoring instance | TECHNICAL.md |
| State lock stuck | Remove DynamoDB entry | TECHNICAL.md |
For all troubleshooting steps, see TECHNICAL.md β Troubleshooting
- DynamoDB for the S3
- Automated RDS backup strategy
- Multi-region deployment support
- Cost optimization with budgets and alerts
For full roadmap, see TECHNICAL.md β TODO Items
# Deploy to dev
export ENV=dev
./deploy_bootstrap.sh
./deploy_infra.shConfiguration: bootstrap/env/dev/terraform.tfvars
# Deploy to production
export ENV=prd
# Edit terraform.tfvars to use production values
./deploy_bootstrap.sh
./deploy_infra.shConfiguration: bootstrap/env/prd/terraform.tfvars
# Validate configuration
terraform validate
# Plan changes
terraform plan -var-file=env/dev/terraform.tfvars
# Apply changes
terraform apply -var-file=env/dev/terraform.tfvars
# Destroy infrastructure
terraform destroy -var-file=env/dev/terraform.tfvars# List ECR repositories
aws ecr describe-repositories --region eu-west-3
# View ECS cluster
aws ecs describe-clusters --clusters gocyc-dev-ecs-cluster --region eu-west-3
# Get RDS endpoint
aws rds describe-db-instances --query 'DBInstances[0].Endpoint' --region eu-west-3
# View application logs
aws logs tail /ecs/dev-service-api --follow --region eu-west-3For more commands, see TECHNICAL.md β Useful Commands
- Create feature branch:
git checkout -b feature/my-feature - Make changes and test locally
- Format Terraform:
terraform fmt -recursive - Validate:
terraform validate - Commit:
git commit -am "Add my feature" - Push:
git push origin feature/my-feature - Create Pull Request
- Use consistent formatting:
terraform fmt - Add descriptive comments for complex resources
- Update documentation when making changes
- Test in dev environment before production
- Check Troubleshooting Section
- Review TECHNICAL.md documentation
- Check AWS documentation for specific services
- Review Terraform registry documentation
- Repository: SquidRings1/projet_final-devsecops
- Current Branch: ECS-patch
- Default Branch: main
- AWS Region: eu-west-3 (Paris)
- Last Updated: May 12, 2026
π For comprehensive technical details, see TECHNICAL.md