Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/DevOpsDuoc/Evaluacion02_Devop_Innovatech/llms.txt

Use this file to discover all available pages before exploring further.

The Terraform configuration provisions the entire AWS network and compute foundation for Innovatech Chile. It creates a 3-tier VPC with six subnets spread across two availability zones, attaches the required gateways, and launches three EC2 instances — one per tier — each protected by a chained security group architecture.

Provider configuration

The project requires Terraform 1.0 or later and uses the AWS provider pinned to the ~> 5.0 range. Authentication relies on environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN) that AWS Academy injects at session start.
00-versions.tf
terraform {
  required_version = ">= 1.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

Network: VPC and subnets

The VPC uses the 10.0.0.0/20 CIDR block (4,096 addresses) with DNS support and DNS hostnames enabled. Six /24 subnets are distributed across us-east-1a and us-east-1b in three tiers.
01-network.tf
resource "aws_vpc" "main" {
  cidr_block           = "10.0.0.0/20"
  enable_dns_support   = true
  enable_dns_hostnames = true
  tags = {
    Name = "academy-vpc"
  }
}

locals {
  azs = ["us-east-1a", "us-east-1b"]
}

Subnet layout

TierSubnetCIDRAZ
Public (web)public-subnet-110.0.0.0/24us-east-1a
Public (web)public-subnet-210.0.1.0/24us-east-1b
Private (app)private-app-subnet-110.0.2.0/24us-east-1a
Private (app)private-app-subnet-210.0.3.0/24us-east-1b
Private (data)private-data-subnet-110.0.4.0/24us-east-1a
Private (data)private-data-subnet-210.0.5.0/24us-east-1b
Public subnets have map_public_ip_on_launch = true. App and data subnets have no direct internet access.

Gateways and routing

An Internet Gateway (academy-igw) handles inbound and outbound internet traffic for the public subnets. A NAT Gateway (academy-nat) allows private instances to reach the internet for outbound requests without exposing them to inbound connections.
01-network.tf
resource "aws_internet_gateway" "igw" {
  vpc_id = aws_vpc.main.id
  tags   = { Name = "academy-igw" }
}

resource "aws_eip" "nat_eip" {
  domain = "vpc"
}

resource "aws_nat_gateway" "nat" {
  allocation_id = aws_eip.nat_eip.id
  subnet_id     = aws_subnet.public[0].id
  tags          = { Name = "academy-nat" }
  depends_on    = [aws_internet_gateway.igw]
}
Two route tables govern traffic flow:
  • Public route table0.0.0.0/0 → Internet Gateway; associated with both public subnets.
  • Private route table0.0.0.0/0 → NAT Gateway; associated with all four private subnets.

S3 VPC endpoint

A Gateway-type VPC endpoint routes S3 traffic directly inside the AWS network, bypassing the NAT Gateway and eliminating per-GB NAT charges for S3 access.
01-network.tf
resource "aws_vpc_endpoint" "s3" {
  vpc_id            = aws_vpc.main.id
  vpc_endpoint_type = "Gateway"
  service_name      = "com.amazonaws.us-east-1.s3"
  route_table_ids = [
    aws_route_table.public_rt.id,
    aws_route_table.private_rt.id
  ]
  tags = { Name = "s3-gateway-endpoint" }
}
The S3 endpoint automatically adds routes to the associated route tables. No extra configuration is required after terraform apply.

Security groups

Traffic flows in one direction through three chained security groups: sg_websg_appsg_datos. Each inner layer only accepts connections from the layer above it. 
resource "aws_security_group" "sg_web" {
  name        = "web-sg"
  description = "Allow HTTP and SSH from internet"
  vpc_id      = aws_vpc.main.id

  ingress {
    description = "SSH access from anywhere"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    description = "HTTP access from anywhere"
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    description = "ICMP for connectivity testing (ping)"
    from_port   = -1
    to_port     = -1
    protocol    = "icmp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}
sg_datos allows SSH on port 22 from sg_web so that ec2-web can act as a bastion for Ansible management of the data instance. MySQL port 3306 is only reachable from sg_app.

EC2 instances

All three instances use the latest Amazon Linux 2023 AMI (al2023-ami-*-x86_64) and the t3.micro instance type. The IAM instance profile wraps the pre-existing LabRole, granting SSM Session Manager access without opening extra inbound ports.
02-compute.tf
data "aws_iam_role" "lab_role" {
  name = "LabRole"
}

resource "aws_iam_instance_profile" "lab_profile" {
  name_prefix = "LabRoleProfile-"
  role        = data.aws_iam_role.lab_role.name
}
InstanceSubnetSecurity groupPublic IP
ec2-webpublic-subnet-1sg_webElastic IP
ec2-appprivate-app-subnet-1sg_appNone
ec2-datosprivate-data-subnet-1sg_datosNone
ec2-web receives a dedicated Elastic IP that persists across instance stops and starts:
02-compute.tf
resource "aws_eip" "web_eip" {
  instance   = aws_instance.ec2_web.id
  domain     = "vpc"
  depends_on = [aws_internet_gateway.igw]
}

Variables

variables.tf
variable "key_name" {
  description = "The name of the SSH key pair provided by AWS Academy"
  type        = string
  default     = ""
}
Set key_name to the name of the key pair created in your AWS Academy lab session before running terraform apply.

Outputs

After a successful apply, Terraform prints four values needed for Ansible inventory and SSH jump configuration:
03-outputs.tf
output "web_eip_public_ip" {
  description = "Stable public Elastic IP of the Web/Bastion instance"
  value       = aws_eip.web_eip.public_ip
}

output "web_instance_private_ip" {
  description = "The private IP of the Web instance"
  value       = aws_instance.ec2_web.private_ip
}

output "app_instance_private_ip" {
  description = "The private IP of the Application instance (Use this for SSH jump from Web)"
  value       = aws_instance.ec2_app.private_ip
}

output "datos_instance_private_ip" {
  description = "The private IP of the Data instance (Use this for SSH jump from App)"
  value       = aws_instance.ec2_datos.private_ip
}

Applying the configuration

1

Export AWS credentials

Set the environment variables provided by your AWS Academy lab session:
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...
2

Set the key pair name

Pass the SSH key pair name created in your lab:
export TF_VAR_key_name=vockey
3

Initialize Terraform

Download the AWS provider plugin:
terraform init
4

Preview the plan

Review all resources before creating them:
terraform plan
5

Apply the configuration

Create the infrastructure and note the output IPs:
terraform apply

Build docs developers (and LLMs) love

Get started for freeTalk to us