Project Concept ‐ Autonomous Cloud‐Based Application - Campus-Castolo/m300 GitHub Wiki
Project Concept – Autonomous Cloud-Based Application Deployment Utilizing GitHub Actions and AWS Infrastructure
1. Project Objective and Delimitation
🌟 Objective
This initiative seeks to establish a robust, automated pipeline for deploying a containerized WordPress application, employing an infrastructure-as-code paradigm through the orchestration of GitHub Actions, Docker, Amazon Web Services (AWS), and Terraform. The operational trigger is a push event to the primary GitHub repository branch, which subsequently initiates a CI/CD workflow. This pipeline performs a semantic versioning–based Docker image build, pushes the resultant artifact to AWS Elastic Container Registry (ECR), and invokes Terraform to instantiate and configure the requisite AWS infrastructure. The resultant state is a production-grade application stack, resilient and modular by design.
📦 Scope of Work
✅ Implementation of CI/CD via GitHub Actions
✅ Semantic tagging of Docker images using Git metadata
✅ Secure container registry interactions with AWS ECR
✅ Declarative infrastructure provisioning via Terraform
✅ Deployment of compute workloads using ECS Fargate
✅ Provisioning of managed database services using Amazon RDS
✅ Integration of observability features via Amazon CloudWatch
✅ Traffic distribution and fault tolerance through ALB
✅ Scheduled data persistence using AWS Lambda for RDS snapshot automation
2. Cloud Architecture (Amazon Web Services)
☁️ Core AWS Services Utilized
| Component | Functional Role |
|---|---|
| ECS Fargate | Executes the Dockerized WordPress workload |
| ECR | Central repository for storing and versioning container images |
| RDS MySQL | Relational database engine for application persistence |
| ALB | Application-level routing and load distribution |
| Lambda + CloudWatch | Orchestration of periodic backups and system observability |
| VPC + Security Groups | Logical network isolation and security enforcement mechanisms |
This architecture is designed for resilience, modularity, and scalability. The use of managed services offloads operational complexity while allowing fine-grained control over security and availability configurations.
3. Continuous Integration and Deployment Pipeline
📝 GitHub Actions Workflow Overview
| Stage | Description |
|---|---|
| Repository Trigger | Git-based event detection (push to main) initiates the deployment sequence |
| Docker Image Build | Constructs a semantically versioned container image |
| ECR Upload | Authenticates and uploads the Docker image to AWS ECR |
| Infrastructure Apply | Executes terraform apply to provision and update cloud resources |
4. Declarative Infrastructure via Terraform
🔧 Key Infrastructure Modules and Definitions
| File | Functional Contribution |
|---|---|
infrastructure-ecs.tf |
Defines container orchestration logic for ECS Fargate |
infrastructure-rds.tf |
Configures a scalable, secure MySQL instance using RDS |
infrastructure-alb.tf |
Articulates load balancer logic and listener configurations |
infrastructure-vpc.tf |
Constructs the foundational network layout |
infrastructure-sec.tf |
Enforces access policies through granular security groups |
infrastructure-cloudwatch.tf |
Defines observability via logging and metric collection |
lambda-rds-backup.tf |
Establishes scheduled Lambda invocations for RDS snapshots |
iam-ec2-nic-policy.tf |
Specifies IAM policies for EC2 networking interface control |
🔄 Role of Terraform in Orchestration
Terraform serves as the declarative control plane that enables consistent, repeatable, and modular deployment of infrastructure-as-code (IaC) artifacts. The orchestration begins with variables.tf, which serves as the contract for input variables—defining types, constraints, descriptions, and in certain cases, default values.
The actual values for these variables are provisioned in the terraform.tfvars file, which acts as a runtime configuration source and often contains credentials, ARNs, resource names, and IDs.
The provider.tf file is pivotal in binding the Terraform runtime to its external dependencies. It not only specifies the AWS provider but leverages interpolated variables to authenticate sessions and define targeted environments.
Once providers are configured, downstream modules—represented by infrastructure files—are instantiated. Terraform’s orchestration engine ensures resource dependency resolution via DAG (Directed Acyclic Graph) analysis, enforces idempotency, and permits dry-run planning (terraform plan). This layered composition promotes reusability, security, and integration with DevOps practices.
Terrafrom Dependency
graph TD
infrastructure-ecs --> infrastructure-alb
infrastructure-ecs --> infrastructure-sec
infrastructure-ecs --> infrastructure-ecr
infrastructure-ecs --> infrastructure-vpc
infrastructure-rds --> infrastructure-sec
infrastructure-rds --> infrastructure-vpc
lambda-rds-backup --> infrastructure-rds
lambda-rds-backup --> infrastructure-cloudwatch
lambda-rds-backup --> infrastructure-sec
infrastructure-alb --> infrastructure-vpc
infrastructure-alb --> infrastructure-sec
infrastructure-sec --> infrastructure-vpc
iam-ec2-nic-policy --> aws_iam_policy_ec2_network_interface_management
iam-ec2-nic-policy --> aws_iam_user_policy_attachment_attach_policy_to_user
infrastructure-alb --> aws_lb_ecs_alb
infrastructure-alb --> aws_lb_target_group_ecs_tg
infrastructure-alb --> aws_lb_listener_ecs_listener
infrastructure-cloudwatch --> aws_cloudwatch_log_group_ecs_logs
infrastructure-cloudwatch --> aws_sns_topic_alarm_notifications
infrastructure-cloudwatch --> aws_sns_topic_subscription_email
infrastructure-cloudwatch --> aws_sns_topic_subscription_sms
infrastructure-cloudwatch --> aws_cloudwatch_dashboard_main
infrastructure-cloudwatch --> aws_cloudwatch_metric_alarm_ecs_cpu_high
infrastructure-cloudwatch --> aws_cloudwatch_metric_alarm_alb_5xx_errors
infrastructure-cloudwatch --> aws_cloudwatch_metric_alarm_rds_low_storage
infrastructure-cloudwatch --> aws_cloudwatch_metric_alarm_demo_trigger_alarm
infrastructure-ecr --> aws_ecr_repository_m300
infrastructure-ecr --> aws_ecr_lifecycle_policy_m300_policy
infrastructure-ecs --> aws_ecs_cluster_wordpress_cluster
infrastructure-ecs --> aws_ecs_task_definition_wordpress_task
infrastructure-ecs --> aws_ecs_service_wordpress_service
infrastructure-rds --> aws_db_subnet_group_wordpress_db_subnet_group
infrastructure-rds --> aws_db_instance_wordpress_db_1
infrastructure-rds --> aws_db_instance_wordpress_db_2
infrastructure-sec --> aws_security_group_security_group-ecs-wordpress
infrastructure-sec --> aws_security_group_security_group-db
infrastructure-sec --> aws_security_group_rule_ecs_to_db
infrastructure-sec --> aws_security_group_rule_db1_to_db2_replication
infrastructure-sec --> aws_security_group_security_group-alb
infrastructure-vpc --> aws_vpc_m300_vpc
infrastructure-vpc --> aws_internet_gateway_igw
infrastructure-vpc --> aws_subnet_public_1
infrastructure-vpc --> aws_subnet_public_2
infrastructure-vpc --> aws_subnet_private_1
infrastructure-vpc --> aws_subnet_private_2
infrastructure-vpc --> aws_route_table_public_rt
infrastructure-vpc --> aws_route_public_internet_access
infrastructure-vpc --> aws_route_table_association_public_1_assoc
infrastructure-vpc --> aws_route_table_association_public_2_assoc
infrastructure-vpc --> aws_route_table_private_rt
infrastructure-vpc --> aws_route_table_association_private_1_assoc
infrastructure-vpc --> aws_route_table_association_private_2_assoc
lambda-rds-backup --> aws_iam_role_lambda_rds_snapshot
lambda-rds-backup --> aws_iam_role_policy_lambda_rds_snapshot_policy
lambda-rds-backup --> aws_lambda_function_rds_snapshot
lambda-rds-backup --> aws_cloudwatch_event_rule_daily_rds_snapshot
lambda-rds-backup --> aws_cloudwatch_event_target_lambda_rds_snapshot
lambda-rds-backup --> aws_lambda_permission_allow_eventbridge
note also listed in dependency graph
5. Monitoring, Observability, and Backup Automation
🔍 Instrumentation and Data Integrity
| Component | Purpose and Functional Role |
|---|---|
| Amazon CloudWatch | Centralizes telemetry, including logs and performance metrics |
| AWS Lambda | Implements scheduled database snapshots for resilience |
| IAM Role Configs | Facilitates secure and scoped service-to-service authentication |
📅 Operational Readiness
✅ Visualization dashboards deployed for ECS and RDS
✅ Lambda scheduled events function as intended
✅ CloudWatch alarms and metrics embedded in infrastructure-as-code templates
6. System Topology and Visual Summary
7. Project Milestones and Progress Tracking
| Development Phase | Operational Focus | Completion Status |
|---|---|---|
| CI/CD Integration | Workflow definition within GitHub Actions | ✅ |
| Container Registry | Docker image lifecycle and ECR interaction | ✅ |
| Infrastructure Provision | Terraform modules: VPC, ECS, RDS, etc. | ✅ |
| Observability & Backup | Integration of CloudWatch and Lambda automation | ✅ |
| System Validation | Comprehensive test of end-to-end infrastructure | ✅ |
| Documentation Delivery | Finalization of reports and instructional material | ⏳ |
8. Technical Constraints and Considerations
- ❗ Management of fine-grained IAM policies across diverse AWS services
- ❗ Remote state configuration and Terraform lifecycle governance
- ❗ Synchronization of semantic versioning across Git, Docker, and Terraform artifacts
- ❗ Debugging and scheduling constraints related to Lambda-based backup automation
9. Synthesis and Evaluation
This project underscores the efficacy of codified, event-driven infrastructure deployments within modern cloud-native paradigms. By integrating container lifecycle automation with declarative provisioning, the solution delivers high availability, scalability, and observability out of the box. Operational concerns such as data durability, release governance, and resource allocation are systematically addressed. The architecture is well-suited for production workloads, particularly those adhering to DevOps and GitOps principles.
10. Prospective Enhancements
- Implement autoscaling policies for ECS services based on CloudWatch metrics
- Introduce CloudFront as a content delivery layer to enhance latency performance
- Integrate AWS WAF to provide HTTP-layer security controls
- Expand backup strategy with restoration workflows for RDS
- Develop environment-specific configurations (development, staging, production)