This folder contains a Terraform-based blueprint that provisions the AWS infrastructure required to run the Employee Management System in a production setting. It focuses on providing a secure, scalable foundation that aligns with the code in this repository (React frontend, Spring Boot backend, MySQL persistence, and containerized workloads).
flowchart LR
subgraph VPC [VPC]
subgraph PrivateSubnets [Private Subnets]
EKS[EKS Managed Node Group]
RDS[(Amazon RDS MySQL)]
end
subgraph PublicSubnets [Public Subnets]
NAT[NAT Gateway]
end
end
ECR[(Amazon ECR Repos)]
Secrets[(AWS Secrets Manager)]
ECR -->|Push Docker images| EKS
Secrets -->|Mount via Kubernetes Secret| EKS
EKS -->|JDBC traffic 3306| RDS
VPC & networking
- Multi-AZ VPC with public and private subnets (private subnets host compute and databases).
- Managed NAT gateway for outbound internet access from private subnets.
Compute platform
- Amazon EKS cluster with a managed node group sized by Terraform variables.
- IRSA enabled so workloads can assume AWS IAM roles when needed.
Data layer
- Amazon RDS for MySQL with encryption, automated backups, maintenance windows, and security group rules that only allow access from the EKS worker nodes.
- Database connection details stored in AWS Secrets Manager.
Container registry
- Separate Amazon ECR repositories for frontend and backend images with image scanning and lifecycle policies.
The stack intentionally keeps MongoDB/DocumentDB optional because the current Spring Boot code does not persist to Mongo. Add a DocumentDB module only if you introduce Mongo-backed repositories.
- Terraform 1.4 or later.
- AWS CLI v2 configured with an account that can create VPC, EKS, RDS, ECR, IAM, and Secrets Manager resources.
- kubectl 1.27+ for interacting with the cluster.
- Docker (or an equivalent build system) for building container images.
-
Set Terraform variables
- Copy
aws/terraform/example.tfvars(create this file) or create your ownterraform.tfvarsinaws/terraform/. - At minimum provide a strong
db_password. Example:project_name = "employee-management" environment = "prod" aws_region = "us-east-1" db_password = "changeMeSuperSecure123!" single_nat_gateway = false # optional, enable one NAT per AZ for higher availability
- Copy
-
Deploy the infrastructure
cd aws/terraform terraform init terraform plan terraform apply -
Grab the connection details
terraform output terraform output eks_update_kubeconfig_command
-
Configure kubectl
aws eks update-kubeconfig --region <region> --name <cluster_name>
-
Build & push container images
# Backend docker build -t $(terraform output -raw backend_ecr_repository):<tag> ../../backend docker push $(terraform output -raw backend_ecr_repository):<tag> # Frontend (serves the React production build) docker build -t $(terraform output -raw frontend_ecr_repository):<tag> ../../frontend docker push $(terraform output -raw frontend_ecr_repository):<tag>
-
Create Kubernetes secrets for database connectivity
# Fetch the secret from Secrets Manager aws secretsmanager get-secret-value \ --secret-id $(terraform output -raw mysql_secret_name) \ --query 'SecretString' --output text > mysql-creds.json kubectl create secret generic mysql-credentials \ --from-file=mysql-creds.json=mysql-creds.json \ --namespace default rm mysql-creds.json
Update
kubernetes/backend-deployment.yamlto mount these credentials as environment variables (e.g., viaenvFrom.secretRef). -
Update Kubernetes manifests
- Set the backend deployment image to the pushed ECR tag (port 8080).
- Set the frontend deployment image to the pushed ECR tag (port 80) or deploy the static build via another mechanism.
- Inject
SPRING_DATASOURCE_URL,SPRING_DATASOURCE_USERNAME, andSPRING_DATASOURCE_PASSWORDusing the secret created above. - Apply manifests:
kubectl apply -f ../../kubernetes
- Backups: Automated backups retain
db_backup_retentiondays (default 14). Adjust the variable as needed. - Maintenance: Controlled by
db_maintenance_window. Terraform keeps the setting consistent across terraform runs. - Failover:
db_multi_azdefaults totrueto give automatic failover. Disable only for dev/test environments. - Secrets:
aws/terraform/secrets.tfwrites credentials to Secrets Manager. Rotate the password by updatingdb_passwordand reapplying Terraform.
- EKS nodes: Adjust
eks_node_desired,eks_node_min, andeks_node_maxinterraform.tfvarsto scale compute capacity. - RDS storage: Increase
db_allocated_storageanddb_max_allocated_storageto grow storage limits. - Network: Switch
single_nat_gatewaytofalseto provision one NAT gateway per AZ for higher availability.
Terraform enables deletion protection on the database. To tear everything down:
- Set
db_deletion_protection = falseinterraform.tfvarsand runterraform apply. - Run
terraform destroywhen you are ready to delete the stack. - Manually remove any remaining ECR images or S3 assets if you created additional resources.
| Variable | Purpose | Default |
|---|---|---|
project_name |
Prefix for resource names and tags | employee-management |
environment |
Environment identifier appended to names | prod |
aws_region |
Deployment region | us-east-1 |
availability_zone_count |
Number of AZs to target | 3 |
db_password |
Required MySQL admin password | none |
db_multi_az |
Enable Multi-AZ for RDS | true |
single_nat_gateway |
Use one NAT gateway across AZs | true |
ecr_image_retain_count |
Number of Docker images to retain | 10 |
See aws/terraform/variables.tf for the full list and documentation.
- Terraform stores the database password in state. Use secure backend storage (e.g., Terraform Cloud, S3 with encryption) and restrict access.
- Rotate Secrets Manager entries regularly (
aws secretsmanager rotate-secretor Terraform updates). - Tighten CORS configuration in the Spring Boot app before exposing APIs publicly.
- Lock down Kubernetes RBAC and network policies—the provided manifests are intentionally minimal.
- Ingress Controller: Deploy AWS Load Balancer Controller via Helm to expose the backend through an ALB.
- TLS & DNS: Terminate TLS using AWS Certificate Manager and Route 53 once a domain is available.
- Static Frontend: Host the React build in S3 + CloudFront if you prefer static site delivery over a containerized frontend.
- Monitoring: Install AWS Observability Accelerator, Prometheus, or Datadog agents for metrics and logging.
The provided Terraform modules have been tested for syntactic correctness, but always review plan outputs and adjust to your organization's requirements before deploying to a live AWS account.
Tip
This one-click deployment will allow you to experiment with the Employee Management System in a production-like environment. Feel free to set up and deploy your own instance of the full stack application using this guide. However, for any serious usage, ensure you understand the security and cost implications of running resources in AWS.