Infra Foundation bundle

AWS Foundation Bundle: network, load balancer, IAM, logging, and private compute

A deployable Terraform foundation for teams that want the connected path from VPC to public traffic entry to private application instances, with logging and IAM patterns included.

See bundle contents
AWS Foundation Bundle architecture diagram

From isolated networking to a working application path

The AWS Foundation Bundle brings together logging, IAM, VPC, ALB, and Auto Scaling modules in separate staging and production Terraform roots.

The bundle includes a multi-AZ VPC with public, private application, and database subnet tiers; NAT routing; gateway and interface VPC endpoints; CloudWatch VPC Flow Logs; ALB access log destinations; EC2 instance profile permissions; an ALB module; and an Auto Scaling group module for private app instances.

Use it when you want more than isolated modules: a reference stack that shows how the foundation pieces connect in real environments.

What is included

Multi-tier VPC
  • Public, private application, and database subnet tiers
  • Single or per-AZ NAT Gateway strategy
  • Gateway endpoints for configured AWS services
  • Interface endpoints with configurable HTTPS ingress CIDRs
Traffic entry
  • ALB module wired to VPC outputs
  • Public or internal placement
  • Optional HTTPS certificate support
  • Target group registration from Auto Scaling
Logging
  • ALB access logs bucket option
  • Application logs bucket option
  • VPC Flow Logs CloudWatch log group
  • Optional application CloudWatch log groups
IAM and compute
  • EC2 instance profile with SSM Session Manager baseline
  • Scoped SSM parameter and CloudWatch Logs permissions
  • Launch template and Auto Scaling group
  • IMDSv2 required on launch template
Operational environments
  • Separate staging and production live roots
  • S3 backend with native lockfile guidance
  • Environment-specific variable files
  • Outputs for VPC, ALB, logging, IAM, and application endpoints
Security posture
  • Private app instances behind ALB
  • Database security group restricted to app tier
  • Database tier without open internet egress
  • Consistent environment and project tags

Bundle structure

The bundle is delivered as a composed Terraform stack, not just a single module. It includes live staging and production roots plus reusable modules for logging, IAM, VPC, ALB, and Auto Scaling.

terraform-aws-network-app-stack/
├── infra/live/
│   ├── staging/
│   └── prod/
├── infra/modules/
│   ├── logging/
│   ├── iam/
│   ├── vpc/
│   ├── alb/
│   └── asg/
├── templates/
│   └── user_data.sh
└── README.md

Frequently asked questions

Is this only VPC plus ALB?

No. The bundle also includes logging, IAM, Auto Scaling, app security group, database security group, and staging/prod live roots.

Does it include app servers?

It includes an Auto Scaling module and launch template pattern for private EC2 application instances, with user data template support.

Does it manage DNS?

The bundle focuses on network, ALB, IAM, logging, and compute. DNS can be integrated separately depending on the domain provider.

Is production separated from staging?

Yes. The repository has separate live roots for staging and production, with separate state configuration and environment-specific variables.