A production-grade Terraform module for deploying scalable, secure, and highly available WordPress installations on AWS.
This Terraform module creates a fully-featured WordPress deployment with the following components:
- Network: Multi-AZ VPC with public, private application, and private data subnets
- Compute: Auto Scaling Group of WordPress EC2 instances for high availability and scalability
- Database: RDS MySQL with optional read replicas for database scaling
- Storage: EFS for shared WordPress content across instances
- Caching: ElastiCache (Redis) for improved performance
- Load Balancing: Application Load Balancer for traffic distribution
- CDN: Optional CloudFront distribution for global content delivery
- Security: Well-defined security groups, IAM roles, and encryption
- Monitoring: CloudWatch dashboards, alarms, and logging
module "wordpress" {
source = "github.com/yourusername/aws-wordpress-terraform"
# Required parameters
project_name = "my-wordpress-site"
environment = "production"
aws_region = "us-east-1"
# Network parameters
vpc_cidr = "10.0.0.0/16"
availability_zones = ["us-east-1a", "us-east-1b"]
public_subnet_cidrs = ["10.0.1.0/24", "10.0.2.0/24"]
private_app_subnet_cidrs = ["10.0.11.0/24", "10.0.12.0/24"]
private_data_subnet_cidrs = ["10.0.21.0/24", "10.0.22.0/24"]
# WordPress configuration
instance_type = "t3.small"
min_size = 2
max_size = 5
desired_capacity = 2
key_name = "my-key-pair"
# Database configuration
db_instance_class = "db.t3.small"
db_name = "wordpress"
db_username = "admin"
db_password = "securepassword" # Use secrets management in production
create_db_replica = true
# Cache configuration
create_elasticache = true
# Domain configuration
site_url = "example.com"
create_route53_record = true
route53_zone_id = "Z1234567890ABC"
# Optional HTTPS
enable_https = true
acm_certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-ef56-gh78-ij90-klmnopqrstuv"
# Tags
tags = {
Owner = "DevOps Team"
Project = "Corporate Website"
Environment = "Production"
}
}
The module includes two example configurations:
- Basic: A simplified WordPress setup for development environments
- Complete: A fully-featured production configuration with all options enabled
To deploy an example:
cd examples/basic
terraform init
terraform plan -var-file="example.tfvars"
terraform apply -var-file="example.tfvars"
Name | Version |
---|---|
terraform | >= 1.0.0 |
aws | ~> 5.0 |
- Multi-AZ deployment across availability zones
- Auto-scaling for WordPress instances
- RDS Multi-AZ with optional read replicas
- Self-healing infrastructure
- ElastiCache (Redis) for object caching
- EFS for shared content across instances
- Optional CloudFront CDN integration
- Load balancing across multiple instances
- Private subnets for application and data tiers
- Security groups with principle of least privilege
- Encrypted storage and database
- Bastion hosts for secure SSH access
- HTTPS support with ACM certificates
- Auto Scaling based on CPU utilization
- Separate database read replicas for read scaling
- Ability to scale instances horizontally
- CloudWatch dashboards with key metrics
- Alarms for critical components
- Detailed logging for troubleshooting
Name | Description | Type | Default | Required |
---|---|---|---|---|
project_name | The name of the project used for tagging | string |
- | yes |
environment | Environment name (dev, staging, prod) | string |
"dev" |
no |
aws_region | AWS region to deploy resources | string |
"us-east-1" |
no |
vpc_cidr | CIDR block for the VPC | string |
"10.0.0.0/16" |
no |
availability_zones | List of availability zones to use | list(string) |
["us-east-1a", "us-east-1b"] |
no |
public_subnet_cidrs | CIDR blocks for public subnets | list(string) |
["10.0.1.0/24", "10.0.2.0/24"] |
no |
private_app_subnet_cidrs | CIDR blocks for private app subnets | list(string) |
["10.0.11.0/24", "10.0.12.0/24"] |
no |
private_data_subnet_cidrs | CIDR blocks for private data subnets | list(string) |
["10.0.21.0/24", "10.0.22.0/24"] |
no |
instance_type | Instance type for WordPress servers | string |
"t3.small" |
no |
min_size | Minimum number of WordPress instances | number |
1 |
no |
max_size | Maximum number of WordPress instances | number |
4 |
no |
desired_capacity | Desired number of WordPress instances | number |
2 |
no |
db_instance_class | RDS instance class | string |
"db.t3.small" |
no |
db_name | Name of the WordPress database | string |
"wordpress" |
no |
db_username | Username for the WordPress database | string |
- | yes |
db_password | Password for the WordPress database | string |
- | yes |
create_db_replica | Whether to create a read replica | bool |
true |
no |
create_elasticache | Whether to create ElastiCache for caching | bool |
true |
no |
site_url | URL of the WordPress site | string |
"example.com" |
no |
create_route53_record | Whether to create Route 53 record | bool |
false |
no |
route53_zone_id | ID of the Route 53 hosted zone | string |
"" |
no |
enable_https | Whether to enable HTTPS | bool |
false |
no |
acm_certificate_arn | ARN of the ACM certificate for HTTPS | string |
"" |
no |
Name | Description |
---|---|
vpc_id | The ID of the VPC |
alb_dns_name | The DNS name of the load balancer |
rds_endpoint | The endpoint of the RDS instance |
bastion_public_ips | The public IPs of the bastion hosts |
wordpress_security_group_id | The ID of the WordPress security group |
efs_id | The ID of the EFS file system |
elasticache_endpoint | The endpoint of the ElastiCache cluster |
- Secrets Management: Use AWS Secrets Manager or SSM Parameter Store for database credentials
- Backups: Enable RDS automated backups and consider additional backup solutions
- CI/CD: Use the included GitHub Actions workflow for infrastructure validation
- Custom AMI: Consider building a custom AMI with WordPress pre-installed for faster scaling
- Updates: Implement a strategy for WordPress core and plugin updates
- WAF: Add AWS WAF for additional security against common web exploits
- Monitoring: Extend CloudWatch monitoring with custom metrics and alarms
- Private subnets for application and database tiers
- Bastion hosts for secure SSH access
- Security groups with principle of least privilege
- Encrypted storage (EBS, EFS, S3)
- Encrypted database (RDS)
- HTTPS support with ACM certificates
- IAM roles with least-privilege permissions
This module is licensed under the Apache License 2.0. See LICENSE for full details.
Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature
) - Commit your changes (
git commit -m 'Add some amazing feature'
) - Push to the branch (
git push origin feature/amazing-feature
) - Open a Pull Request