Drupal on AWS ECS

Terraform blueprint that deploys a robust and scalable Drupal CMS on AWS using ECS Fargate, Aurora MySQL and Bitnami container image.

Drupal on AWS ECS

This Terraform blueprint deploys a highly available and scalable Drupal site on AWS using ECS Fargate. It uses container with the latest version of Drupal 10.x and Apache web server packaged by Bitnami.

Why use this Terraform blueprint?

  • Deploy enterprise-grade Drupal into your AWS environment in minutes.
  • Serverless architecture leveraging ECS Fargate and Aurora to minimize operational overhead.
  • CloudFront CDN accelerates content delivery and reduces latency.
  • Drupal instances are protected against common web exploits using Web Application Firefall (WAF).
  • Scalable and highly available architecture. No single point of failure.
  • Official Bitnami Drupal image is updated regularly.

Drupal deployment on AWS ECS diagram

How to use this blueprint?

This blueprint contain full Terraform code, configuration files and documentation needed to deploy and maintain a Drupal site on AWS. You can use this blueprint as a turn-key solution for deploying Drupal into a new AWS account or as a starting point for your implementation.

  1. Download the latest blueprint release.
  2. Configure tfvars file for your environment. Configuration parameters can be found in the Configuration section.
  3. Follow setup instructions provided separately.

Terraform structure and AWS resources

Terraform files are built using open-source Terraform modules such as CloudPosse.

NOTE

This blueprint is not a Terraform module, rather it is a complete deployable Terraform stack.

Expand to see Terraform structure

  • alb.tf - ALB and Target Groups
  • certs.tf - ACM SSL Certificates for ALB and CloudFront
  • cloudfront.tf - CloudFront configuration optimised for Drupal
  • data.tf - Local variables and data sources
  • database.tf - RDS Aurora MySQL database
  • default.auto.tfvars - Default configuration parameters. Edit this file to adjust the blueprint configuration. See the complete list of the Configuration parameters.
  • dns.tf - Route53 DNS zone and records
  • ecs.tf - ECS Fargate Service and Task. EFS shared volume for persistent Drupal data.
  • main.tf - Main Terraform file
  • network.tf - VPC, subnets, NAT gateways, Gateway Endpoints, and other networking resources.
  • outputs.tf - Output variables
  • provider.tf - Terraform AWS providers and aliases
  • secrets.tf - Secrets Manager secrets
  • tfstate.tf - Optional remote state configuration
  • variables.tf - Input variable declarations
  • versions.tf - Terraform version requirements
  • waf.tf - WAF and ACLs' configuration. Optimised to secure Drupal deployment.
  • examples/*.tfvars - Configuration examples for staging and production environments. See the complete list of the Configuration parameters.
  • modules/secret-generator/ - Secret generator module

For a full list of modules, see the Dependencies section of the Configuration document.

Architecture

This blueprint prioritizes high availability, security, scalability, and cost optimization in alignment with AWS Well-Architected Framework and other official AWS best practices.

High Availability. All components of the infrastructure are deployed at least into two Availability Zones for continuous operation. The architecture ensures your Drupal site remains online, with fault tolerance and point-in-time recovery (PITR) provided by Aurora and EFS.

Scalability. You can scale ECS tasks, EFS volume and Aurora replicas as needed. Easily adapt to changing workload demands, with automatic scaling of Aurora and EFS loads as your data and traffic grows.

Security. All components of the infrastructure are deployed into private subnets and are not directly accessible from the Internet. WAF protects instances against common web exploits.

Cost-optimization. To minimise operational overhead, the blueprint leverages fully managed components such as ECS Fargate and RDS Aurora. Furthermore, you can opt-in to use AWS Fargate Spot to reduce the cost of running ECS tasks.

Architecture Components

ECS Fargate. Drupal is deployed as an ECS Fargate task that uses Bitnami provided and hardened container image. This image is optimised for security, performance and extensibility. It is constantly updated with the latest releases by Bitnami.

Elastic File System (EFS). A shared EFS volume is used for persisting and distributing data across Availability Zones. It enables stateful operation of Drupal and data sharing among instances. ECS tasks access shared Drupal data in an EFS file system using Mount Targets created in each AZ.

RDS Aurora MySQL. This managed database service is used for persisting Drupal data and ensures high availability, scalability, and automatic backups with point-in-time recovery support.

Application Load Balancer (ALB). ALB is deployed in a public subnet and serves as a single entry point for all incoming traffic. It provides secure and efficient routing of traffic to Drupal instances.

CloudFront (Optional). CloudFront CDN is used in to serve static and dynamic content, accelerate content delivery, and reduce latency. It enhances website performance and reduces server load by caching content at the edge. In this blueprint, CloudFront operates in reverse proxy mode where all requests go through CloudFront and it pulls content from the origin (ALB).

Web Application Firewall (WAF) (Optional). This component protects Drupal instances against Drupal-specific as well as common web exploits (OWASP). It enhances the security of your Drupal application by shielding it from known vulnerabilities. Moreover, it can be extended with custom rules to meet your specific security requirements.

Jumpbox and SSM Session Manager (Optional). Jumpbox, an SSM Managed EC2 Instance, acts as a gateway for connecting to the Aurora database using SSM Session Manager. Connection to Drupal ECS task is also enabled by SSM Session Manager and ECS Exec. Details about connecting to Drupal tasks and MySQL database are provided in the Maintenance documentation.

AWS Certificate Manager (ACM). ACM is used for managing SSL certificates for ALB and CloudFront.

Route53. Drupal DNS records and ACM certificate verification records will be added to the provided Route53 zone. If no zone is provided, the blueprint will create a new public hosted zone for the specified TLD.

Data Encryption and Secrets Management

Data Encryption. All data at rest, including EFS and RDS Aurora, is encrypted using AWS Key Management Service (KMS). Optionally, existing KMS Customer Managed Keys (CMKs) can be specified to encrypt data at rest. This ensures data security and compliance with encryption standards.

Secrets Management. All secrets, such as database credentials and API keys, are stored in AWS Secrets Manager. It provides centralized and secure storage and rotation of secrets, with the option to encrypt them further using KMS Customer Managed Keys (CMKs).

For more detailed information on deploying and maintaining this Terraform blueprint, please refer to the associated Maintenance documentation.

Performance and Scalability

Drupal deployments with rarely updated or static content will benefit from CloudFront CDN which can handle most of the requests under 30 ms. It will also reduce the load on the ECS instances.

For deployments with predominantly dynamic content, the performance will depend on the ECS Fargate, Aurora and EFS configuration.

ECS Fargate instances can be scaled horizontally and vertically to handle increased traffic. Shared EFS volume can provide up to 250,000 read and 50,000 write IOPS with throughput reaching 10 GiB/s. Aurora MySQL instances can be scaled vertically to handle increased database load and storage throughput.

Maintenance

As a part of the blueprint package, you provided documentation and tools to help you maintain your Drupal site on AWS. Drupal maintenance covers the following topics:

  • Scaling options and instructions for Drupal instances and the database.
  • Updating Drupal and MySQL.
  • Backup and restore procedures for MySQL and EFS.
  • Remote access to Drupal instances and MySQL database.
  • Using Drupal CLI (Drush) and installing plugins.
  • Advanced Drupal container customization.

FAQ

How much does it cost to run Drupal on AWS ECS?

The cost of running this blueprint on AWS ECS depends on the size and number of instances, database, and other resources configured. We estimate that a small Drupal site with a single instance and a small database can cost aroud $120 per month. A large Drupal site with multiple and more powerful instances can cost hundreds of dollars per month.

What is the difference between this blueprint and the AWS Lightsail for Drupal?

Lightsail is tailored for users looking for a simplified and user-friendly experience. It offers pre-configured virtual private servers with an easy-to-use management console, making it ideal for beginners. Lightsail simplifies management tasks and offers fixed monthly cost. However, it has limitations in scalability and customization, making it more suitable for smaller to medium-sized websites.

On the other hand, architecture of this blueprint leverages building blocks such as ECS Fargate, Aurora and CloudFront to provide greater flexibility, scalability, and customization options. It allows users to fine-tune their cloud infrastructure to meet specific needs, making it ideal for advanced use cases.

Unlike Lightsail, most of the AWS services have usage-based pricing. Therefore, while this blueprint offers more customization, it's essential to monitor resource usage carefully to control costs effectively.

What is the difference between this blueprint and deploying Drupal on AWS Beanstalk?

AWS Beanstalk is a managed PaaS that abstracts away the underlying infrastructure. It offers a simplified deployment experience and is ideal for beginners. However, it has limitations in scalability and customization, making it more suitable for smaller to medium-sized websites.

In many ways, a solution based on AWS Beanstalk would look similar to this blueprint and require CloudFront, Aurora, and EFS to work. Therefore, Beanstalk-based solution would be less flexible without offering any significant benefits.

How often is this blueprint updated?

This blueprint is updated regularly to ensure it is compatible with the latest Terraform version, providers and modules. It also being updated with the latest Drupal and Bitnami releases.

What new features are planned for this blueprint?

We are currently working on adding the following features:

  • ECS Autoscaling support
  • ECS Fargate Spot support
  • ECS Fargate Graviton support
  • ElastiCache Memcached support
  • CloudWatch dashboards and alarms
  • Aurora Serverless configuration
©2024 InfraSource