WordPress on AWS ECS

Terraform blueprint that deploys a robust and scalable WordPress on AWS using ECS Fargate, Aurora MySQL and WordPress container from Bitnami.

Requirements

NameVersion
terraform>= 1.3.0
aws>= 5.0

Inputs

NameDescriptionTypeDefaultRequired
access_logs_retention_daysNumber of days to retain access logs in S3 bucket for ALB and Cloudfront. Logs older than this will be deleted. Set to 0 to retain logs indefinitely.number90no
availability_zonesList of Availability Zones (AZs) where subnets will be created e.g. [eu-west-2a, eu-west-2b]. Ignored when availability_zone_ids is set. The order of zones in the list must be stable or else Terraform will continually make changes. If no AZs are specified, then subnets will be created in all available AZs. We recommend setting availability_zones explicitly for predictability, consistency, and stability.list(string)[]no
cdn_default_content_cache_ttlCache TTL for all WordPress content other than static and dynamic content defined in cdn_static_content_path_patterns and cdn_dynamic_content_path_patterns respectively. Example of such content is WordPress home page, pages and posts. Increase for high-load WordPress sites.number300no
cdn_dynamic_content_path_patternsList of dynamic WordPress content path patterns that should never be cached.list(string)[ "/wp-admin/*", "/wp-login.php", "/wp-signup.php", "/wp-trackback.php", "/wp-cron.php", "/xmlrpc.php", "/wp-json/*" ]no
cdn_enabledEnable CloudFront CDN for the site.booltrueno
cdn_price_classCloudFront distribution price class. One of the following: PriceClass_All, PriceClass_200, PriceClass_100. See also choosing the CloudFront price class.string"PriceClass_100"no
cdn_static_content_browser_cache_ttlBrowser cache TTL for the static WordPress content. Cloudfront will add a Cache-Control header with a specified value to cdn_static_content_path_patterns path responses only if the header is absent in the response. If a WordPress plugin (e.g. W3 Total Cache) is used to set Cache-Control value, this setting will be overriden."number604800no
cdn_static_content_cache_ttlCache TTL for the static WordPress content. Typically, this type of content should be cached for a long period of time.number604800no
cdn_static_content_path_patternsList of static WordPress content path patterns that should be cached for a long period of time. This is usually versioned content that is invalidated using the cache-busting technique."list(string)[ "/wp-content/*", "/wp-includes/*" ]no
container_configAdditional WordPress and PHP configuration to pass to the WordPress container. See https://hub.docker.com/r/bitnami/wordpress-nginx for the full list. _Note_: Database connection and other mandatory settings are automatically injected.map(string){}no
container_imageWordPress container image.string"docker.io/bitnami/wordpress-nginx:latest"no
container_logs_retention_daysNumber of days to retain access logs in CloudWatch for ECS containers. Logs older than this will be deleted. Set to 0 to retain logs indefinitely.number90no
db_admin_password_versionDatabase admin auto-generated password version. Incrementing this will trigger the database password rotation. Note that this may break database connectivity and require manual intervention."number1no
db_backup_retention_periodThe number of days to retain database backups for.number5no
db_cluster_familyThe family of the RDS database cluster.stringn/ayes
db_engine_versionThe version of the RDS database engine to use. See aws rds describe-db-engine-versions for options.stringn/ayes
db_instance_classInstance class to use for RDS Aurora MySQL database. See the list of available instance classes here.stringn/ayes
db_instance_countNumber of database instances to create in the RDS cluster.numbern/ayes
db_storage_kms_arnThe ARN for the KMS Customer Managed Key (CMK) to use to encrypt RDS storage. Leave blank to use AWS managed key.stringnullno
dns_subdomainSubdomain for the WordPress site. E.g. "www"stringn/ayes
dns_zone_nameRoute53 public zone name for the WordPress site e.g. example.com. If the DNS zone already exists, records will be added to the existing zone. Otherwise, a zone will be created.stringn/ayes
efs_backup_enabledEnable automatic Elastic File System (EFS) volume backup using AWS Backup service.booltrueno
efs_kms_arnThe ARN for the KMS Customer Managed Key (CMK) to use to encrypt EFS volumes. Leave blank to use AWS managed key.stringnullno
efs_provisioned_throughput_in_mibpsThe throughput, measured in MiB/s, that you want to provision for the EFS volume. This is required only when efs_throughput_mode is set to provisioned.number0no
efs_throughput_modeThroughput mode for the EFS volume. Valid values: bursting, provisioned, or elastic. When using provisioned, also set efs_provisioned_throughput_in_mibps. See EFS Throughput Modes for more details.string"bursting"no
environmentAWS account name (e.g. cms) or region (e.g. euw2). Leave blank for single-account deployments.stringnullno
jumpbox_enabledDeploy jumpbox server for SSH access to the private subnets. Required for RDS database access via SSH tunnel.booltrueno
lb_health_check_healthy_thresholdThe number of consecutive health checks successes required before considering the target healthy.number1no
lb_health_check_intervalThe duration in seconds in between health checks.number30no
lb_health_check_pathThe destination for the health check request.string"/wp-admin/install.php"no
lb_health_check_timeoutThe duration in seconds to wait before failing a health check request.number10no
lb_health_check_unhealthy_thresholdThe number of consecutive health check failures required before considering the target unhealthy.number3no
namespaceNamespace prefix is usually an abbreviation of your organization name (e.g. 'is'). It helps to ensure generated IDs are globally unique. Should be 3 characters max.stringn/ayes
regionAWS region. Leave blank if you want to use the region configured in the AWS CLI profile.stringnullno
secret_kms_arnThe ARN for the KMS Customer Managed Key (CMK) to use to encrypt Secret Manager secrets. Leave blank to use AWS managed key.stringnullno
service_task_cpuAmount of CPU to allocate to each ECS task. Must match Fargate task sizes.numbern/ayes
service_task_instance_countNumber of ECS tasks to run.number1no
service_task_memoryAmount of memory to allocate to each ECS task. Must match Fargate task sizes.numbern/ayes
stageAWS environment stage. Allowed values: dev, staging, test, uat, prod).stringn/ayes
tagsAdditional tags to apply to all resources.map(string){}no
vpc_cidr_blockCIDR block for VPC to be created. Sunbets calculated dynamically based on this CIDR.stringn/ayes
vpc_use_nat_instanceUse NAT Instance instead of NAT Gateway for outbound traffic. NAT instance is cheaper but less reliable. This is useful for testing and development. Always set this to false in production to use NAT Gateway.boolfalseno
waf_aws_managed_rulesetsList of AWS Managed WAF Rulesets to enable. Rulesets prioritised in the order they appear in the list. See AWS Managed Rule Groups for the full list.list(string)[ "AWSManagedRulesCommonRuleSet", "AWSManagedRulesKnownBadInputsRuleSet", "AWSManagedRulesSQLiRuleSet", "AWSManagedRulesAmazonIpReputationList", "AWSManagedRulesPHPRuleSet", "AWSManagedRulesWordPressRuleSet" ]no
waf_cloudwatch_metrics_enabledEnable CloudWatch metrics for the WAF rulesets.booltrueno
waf_enabledEnable Web Application Firewall (WAF) to protect the site.booltrueno
waf_override_action_with_countOverride the default action for the WAF rulesets with count. Enable this if you need to debug WAF behaviour instead of enforcing actual rules.boolfalseno
waf_sampled_requests_enabledEnable sampling of requests for the WAF rulesets.booltrueno
waf_whitelist_ipv4_addressesList of IP addresses to exclude from WAF checks. This prevents legitimate requests from being blocked by managed WAF rulesets (false-positives). For example, Stripe webhook requests larger than Cloudfront's 16KB limit can be blocked (see AWSManagedRulesCommonRuleSet#SizeRestrictions_BODY rule).list(string)[]no

Outputs

NameDescription
ecs_cluster_nameECS cluster name where WordPress is deployed.
ecs_container_nameECS container name where WordPress is deployed.
ecs_service_nameECS service name where WordPress is deployed.
jumpbox_instance_idJumpbox instance ID. Use this ID to SSH into the jumpbox.
rds_cluster_admin_usernameMySQL admin username.
rds_cluster_endpointRDS Aurora MySQL cluster endpoint. Use this endpoint for read-write operations.
rds_cluster_endpoint_readerRDS Aurora MySQL cluster reader endpoint. Use this endpoint for read-only operations.
secret_rds_admin_credentials_arnARN of the secret containing the MySQL admin credentials.
secret_rds_wpuser_credentials_arnARN of the secret containing the MySQL WordPress user credentials.

Dependencies

DependencyVersion
registry.terraform.io/cloudposse/acm-request-certificate/aws0.18.0
registry.terraform.io/cloudposse/acm-request-certificate/aws0.18.0
registry.terraform.io/cloudposse/alb/aws1.11.1
registry.terraform.io/cloudposse/s3-log-storage/aws1.4.3
registry.terraform.io/cloudposse/ecs-container-definition/aws0.61.1
registry.terraform.io/cloudposse/ecs-alb-service-task/aws0.76.0
registry.terraform.io/cloudposse/efs/aws1.1.0
registry.terraform.io/cloudposse/ec2-bastion-server/aws0.31.0
registry.terraform.io/cloudposse/rds-cluster/aws1.11.1
registry.terraform.io/cloudposse/security-group/aws2.2.0
registry.terraform.io/cloudposse/dynamic-subnets/aws2.4.2
registry.terraform.io/cloudposse/label/null0.25.0
registry.terraform.io/cloudposse/vpc/aws2.2.0
registry.terraform.io/cloudposse/vpc/aws//modules/vpc-endpoints2.2.0
registry.terraform.io/cloudposse/waf/aws1.8.0
©2024 InfraSource