Fork me on GitHub
Martynas Maciulevičius13:06:10

I have a question about Terraform on AWS. Do I need to do this: I.e. Do I need to do this every time I want to deploy some kind of thing or is there a simpler way? It's great that I get so much control about the subnets and so on. But I'm not sure how much I actually need yet. i.e. I don't ask about VPC because I probably need it for every different deployment. But what's odd is that there is so much stuff in this config. Because the more there is the more can go wrong.


usually the network structure is created once and then used as the ground for everything else, e.g. databases in private subnets, webapp backends and the load balancers in the dmz (public subnet). You can also attach Lambdas to VPCs so you can use Lambdas as glue in private subnets. Anything that should not be directly reachable from the public Internet should be in private subnets. Depending on the system you are building, there can be more network segments, to limit blast radius etc. I guess it comes down to what is the context and what one is doing. If say DynamoDB is enough, then you can do with VPCs and go towards more serverless. VPC just allows one to do networking as you would do in a physical office, with routers and firewalls and segmented networks. Just that all that is virtualized :)


but yeah, I know it's a lot to chew, if building a webapp with a database and networking is not familiar, there are a lot of knobs, but I think that the Terraform in the blog post could be simpler, and probably there are posts from aws that document best practices (yeah, I know I should link to them, bad excuse not having time now to look)

Martynas Maciulevičius14:06:32

I know the subnets and all the things. But I thought that it's too much to have Elastic IP. But then I may actually need an IP... but then how do I assign different hosts to different ports... Or then multiple IPs... oh my oh my...

😅 1

Yeah, AWS is not digital ocean, it's a data center as a service so you'll have to figure out things like networking, managed services and what not. Or use Lightsail (?) which I believe does all of this for you, or


I guess the thing is that is there a path onwards to a data center, if you need one :) Lightsail might be easier in at least keeping the data center complexity away more, IIRC it allows to connect to a VPC too. Copilot probably interesting too, IIRC it makes a sane VPC setup with private/public subnet, so you might turn that into more datacenterish if needed.


Glancing at that article a little, I’m not sure I’d trust everything it says. It makes liberal and unnecessary use of depends_on, which is generally an antipattern. Not knowing that you should let terraform manage your resource dependencies for you is a little bit of a red flag. I didn’t read the article in enough detail to see how legit the rest was, but I wanted to flag this for y’all to be cautious.

Martynas Maciulevičius04:06:07

Who knows if they look for good and bad patterns in their examples. After all the original webpage containing tutorial is which means that they aren't really concerned with offering alternatives and preventing lock-in. I think the person that wrote this is paid not for maintaining these examples but for producing them. And it may have been OK at the time of writing (2021): It could mean that the tutorial is outdated. Not sure.


I’m a bit of a networking dummy, but if you want to have a 3-tier VPC setup (internet <--> public subnet <--> private subnet <--> data subnet), is the only way to restrict traffic between, say, the public and data subnets via NACLs? Is there no way to do it via route tables?

Martynas Maciulevičius05:06:26

This tutorial and diagram shows that there is a NAT component between networks: So what this means is that you would have two different subnets (networks with different addr ranges) and NAT router would translate between them. So for instance you could have subnets and And then IMO the NAT router would convert between them. At least in theory. I don't know how it will work in that example and on AWS. When you have internet at home this is what your ISP does for you. They have a router (not the one that you have in your home) that takes your packets and routes them to your cable. And then your local box (let's not call it a router (it's a dumbed down version of a router that does much of other stuff too)) does the NAT translation into your local subnet (which probably is and can have 255 hosts (including your modem box)). I have no idea.