This how-to will help you deploy a production-ready infrastructure on Digital Ocean using Terraform.
Pre-requisites
- Install Terraform
- Create a Digital Ocean account if you don't already have one (Use this link to get $100 credit)
- Generate a Personal Access Token for your Digital Ocean account to access the DigitalOcean API. Go to
API => Tokens/Keys => Generate New Token. Save thestringgenerated. - Create a domain for your project. Go to
Networking => Domains => Add domain
Initial setup terraform files
- Open your terminal and create a new project directory, and open with you code editor.
$ mkdir minimal-prod`
$ cd minimal-prod`
$ code .
- Create the following terraform files:
$ touch versions.tf
$ touch main.tf
$ touch variables.tf
- In
versions.tf, specify the Digital Ocean terraform provider as follows:
terraform {
required_providers {
digitalocean = {
source = "digitalocean/digitalocean"
version = "2.25.2"
}
}
}
- In
main.tf, add the token required by the provider like this:
provider "digitalocean" {
token = var.do_token
}
- In
variables.tf, create a new variable calleddo_token.
variable "do_token" {
type = string
description = "Digital Ocean personal access token"
default = "<token_string>"
}
If you wish to commit
variables.tfto your version control system, you might want to use a different file for more sensitive information, such as your Digital Ocean's personal access token. Create a new fileterraform.tfvarsand save the following to it:
do_token = "<digital_ocean_token>"
Replace
<digital_ocean_token>with the actual value generated.
⚠️ Make sure *.tfvars is in your .gitignore file.
- Now prepare your working directory for other commands by running the following command:
$ terraform init
Architecture Diagram
Below is a diagram representing the architecture that will be produced by executing the Terraform files at the end of this tutorial.
|
https
|
v
+--------------------+
| Load Balancer |
+--------------------------------------------------+
| | | |
| +--------------------+ |
| | |
| | |
| http +---------+ |
| | | | |
| | | | |
| +-------SSH------| Bastion |<---SSH---
| | | | |
| | | | |
| | +---------+ |
| +----------+---------+ |
| | | | |
| v v v |
| +-------+ +-------+ +-------+ |
| | web | | web | | web | |
| +---+---+ +---+---+ +---+---+ |
| | | | |
| | v | |
| | +----------+ | |
| | | | | |
| +---->| database |<---+ |
| | | |
| +----------+ |
+--------------------------------------------------+
Virtual Private Cloud (VPC) setup
- Create a file
network.tfand add the following to build the VPC
resource "digitalocean_vpc" "web" {
name = "${var.name}-vpc"
region = var.region
ip_range = var.ip_range
}
- Add new variables to
variables.tf
...
variable "name" {
type = string
description = "Infrastructure project name"
default = "minimal-prod"
}
variable "region" {
type = string
default = "ams2"
}
variable "ip_range" {
type = string
description = "IP range for VPC"
default = "192.168.22.0/24"
}
- Run the command below to see the execution plan so far
$ terraform plan
Web Servers setup
- Add a few more variables to
variables.tfto be used in the future
...
variable "droplet_count" {
type = number
default = 1
}
variable "image" {
type = string
description = "OS to install on the servers"
default = "ubuntu-20-04-x64"
}
variable "droplet_size" {
type = string
default = "s-1vcpu-1gb"
}
variable "ssh_key" {
type = string
}
variable "subdomain" {
type = string
}
variable "domain_name" {
type = string
}
- Create a new file
data.tfand add a data resource for our ssh key which will be pulled from Digital Ocean directly:
data "digitalocean_ssh_key" "main" {
name = var.ssh_key
}
- Create a file
servers.tfhold all the resources we'll be creating for our web servers as follows:
resource "digitalocean_droplet" "web" {
count = var.droplet_count
image = var.image
name = "web-${var.name}-${var.region}-${count.index + 1}"
region = var.region
size = var.droplet_size
ssh_keys = [data.digitalocean_ssh_key.main.id]
vpc_uuid = digitalocean_vpc.web.id
tags = ["${var.name}-webserver"]
user_data = <<EOF
#cloud-config
packages:
- nginx
- postgresql
- postgresql-contrib
runcmd:
- [ sh, -xc, "echo '<h1>web-${var.region}-${count.index + 1}</h1>' >> /var/www/html/index.html"]
EOF
lifecycle {
create_before_destroy = true
}
}
- Update
terraform.tfvarswith the following variables for our environment:
...
region = "ams3"
droplet_count = 3
ssh_key = "<ssh_key_name_on_digitalocean>"
domain_name = "<domain_added_on_digitalocean>"
subdomain = "app"
- Add a value for the domain you want to use in
data.tf
...
data "digitalocean_domain" "web" {
name = var.domain_name
}
- Create a lets encrypt certificate to be used by the load balancer. Add the following to the
servers.tffile
resource "digitalocean_certificate" "web" {
name = "${var.name}-certificate"
type = "lets_encrypt"
domains = ["${var.subdomain}.${data.digitalocean_domain.web.name}"]
lifecycle {
create_before_destroy = true
}
}
You can use the Digital Ocean terraform provider to provide your own certificate if you want to.
- Next, we create our load balancer with the correct forwarding rules and the firewall setup in
servers.tf. This is to block all inbound traffic directly to the web servers from the internet.
...
resource "digitalocean_loadbalancer" "web" {
name = "web-${var.region}"
region = var.region
droplet_ids = digitalocean_droplet.web.*.id
vpc_uuid = digitalocean_vpc.web.id
redirect_http_to_https = true
forwarding_rule {
entry_port = 443
entry_protocol = "https"
target_port = 80
target_protocol = "http"
certificate_name = digitalocean_certificate.web.name
}
forwarding_rule {
entry_port = 80
entry_protocol = "http"
target_port = 80
target_protocol = "http"
certificate_name = digitalocean_certificate.web.name
}
lifecycle {
create_before_destroy = true
}
}
resource "digitalocean_firewall" "web" {
name = "${var.name}-only-vpc-traffic"
droplet_ids = digitalocean_droplet.web.*.id
inbound_rule {
protocol = "tcp"
port_range = "1-65535"
source_addresses = [digitalocean_vpc.web.ip_range]
}
inbound_rule {
protocol = "udp"
port_range = "1-65535"
source_addresses = [digitalocean_vpc.web.ip_range]
}
inbound_rule {
protocol = "icmp"
source_addresses = [digitalocean_vpc.web.ip_range]
}
outbound_rule {
protocol = "tcp"
port_range = "1-65535"
destination_addresses = [digitalocean_vpc.web.ip_range]
}
outbound_rule {
protocol = "udp"
port_range = "1-65535"
destination_addresses = [digitalocean_vpc.web.ip_range]
}
outbound_rule {
protocol = "icmp"
destination_addresses = [digitalocean_vpc.web.ip_range]
}
outbound_rule {
protocol = "udp"
port_range = "53"
destination_addresses = ["0.0.0.0/0", "::/0"]
}
outbound_rule {
protocol = "tcp"
port_range = "80"
destination_addresses = ["0.0.0.0/0", "::/0"]
}
outbound_rule {
protocol = "tcp"
port_range = "443"
destination_addresses = ["0.0.0.0/0", "::/0"]
}
outbound_rule {
protocol = "icmp"
destination_addresses = ["0.0.0.0/0", "::/0"]
}
}
- Next, we create the record for the subdomain
...
resource "digitalocean_record" "web" {
domain = data.digitalocean_domain.web.name
type = "A"
name = var.subdomain
value = digitalocean_loadbalancer.web.ip
ttl = 30
}
Database resource
- Next, we add a few more variables to be used to setup our database in
variables.tfas follows:
...
variable "db_count" {
type = number
default = 1
}
variable "database_size" {
type = string
default = "db-s-1vcpu-1gb"
}
- Next, create
database.tfto build the database. For this example we will be creating a Postgres database.
resource "digitalocean_database_cluster" "postgres-cluster" {
name = "${var.name}-database-cluster"
engine = "pg"
version = "11"
size = var.database_size
region = var.region
node_count = var.db_count
private_network_uuid = digitalocean_vpc.web.id
}
resource "digitalocean_database_firewall" "postgress-cluster-firewall" {
cluster_id = digitalocean_database_cluster.postgres-cluster.id
rule {
type = "tag"
value = "${var.name}-webserver"
}
}
Jump server (Bastion) for accessing our infrastructure
- Next, we need to create a jump server (Bastion) to access our infrastructure. Create a
bastion.tfwith the following:
resource "digitalocean_droplet" "bastion" {
image = var.image
name = "bastion-${var.name}-${var.region}"
region = var.region
size = "s-1vcpu-1gb"
ssh_keys = [data.digitalocean_ssh_key.main.id]
vpc_uuid = digitalocean_vpc.web.id
tags = ["${var.name}-webserver"]
lifecycle {
create_before_destroy = true
}
}
resource "digitalocean_record" "bastion" {
domain = data.digitalocean_domain.web.name
type = "A"
name = "bastion-${var.name}-${var.region}"
value = digitalocean_droplet.bastion.ipv4_address
ttl = 300
}
resource "digitalocean_firewall" "bastion" {
name = "${var.name}-only-ssh-bastion"
droplet_ids = [digitalocean_droplet.bastion.id]
inbound_rule {
protocol = "tcp"
port_range = "22"
source_addresses = ["0.0.0.0/0", "::/0"]
}
outbound_rule {
protocol = "tcp"
port_range = "22"
destination_addresses = [digitalocean_vpc.web.ip_range]
}
outbound_rule {
protocol = "icmp"
destination_addresses = [digitalocean_vpc.web.ip_range]
}
}
- Now you can apply the files and let terraform create the infrastructure on Digital Ocean
$ terraform apply
You can use the
--auto-approveflag to let terraform automatically continue without asking you for approval.
Access the server through the bastion host
- Copy the domain name of the bastion host and ssh into it from your terminal.
$ ssh -A root@<FQDN of bastion host>
- Copy the IP address of any of the web servers and ssh into it from the bastion host
$ ssh root@<private_ip_address_of_server>
Delete infrastructure
This will undo everything. You can delete the infrastructure by running the following command:
$ terraform destroy
That's it.
Thanks for the time reading this!
Let me know if you there's a way you think this infrastructure can be improved.
👍
Top comments (2)
Great article, this is well written and very informative.
On top of making sure to add
.tfvarsextension to your.gitinore, you should also make sure your tfstate file is encrypted. Because when Terraform use a secret for creating resources, it writes the value to the tfstate as plain-text.I totally agree with you, thanks for pointing this out. 👏