Deploying WordPress with Terraform

Terraform is an open source Infrastructure as Code (IaC) tool developed by HashiCorp and it supports most major public cloud platforms such as AWS, Google Cloud, Azure, DigtialOcean, and so on.

What makes Infrastructure as Code special? It enables you to automatically deploy and manage the infrastructure needed to run technology stacks, such as WordPress, through software instead of manual processes. IaC enables one to deploy and manage cloud servers, create sub nets, update DNS and more with code that is stored in a version control system such as Git. In fact, this website was deployed using both Terraform and Ansible. Terraform provisioned the DigitalOcean cloud server, configured firewall rules that only allow HTTPS traffic though CloudFlare, and configured the DNS records on CloudFlare for this website. Ansible was then used to configure the cloud server with WordPress. Here is the GitHub repository for those of you who are interested: HauptJ/WordPress-CloudFlare-Terraform

One useful feature of Terraform is the fact that it keeps track of the resources it created in a state file. This makes managing those resources easier later on in case you ever want add, update or destroy resources.

First you need to declare your service providers. In this example, I am using DigitalOcean for their Infrastructure as a Service (IaaS) offerings and CloudFlare for their DNS and Software as a Service (SaaS) offerings. Terraform interacts with the service providers API, so you will need have the required API tokens readily available. For security reasons, storing hard coded credentials such as API tokens in a repository is a terrible practice. One safe method of passing in credentials is to set them as temporary environment variables.

After you declare your providers, you can start creating resources such as servers. Terraform provides provisioners to configure servers after they are deployed. Unfortunately, it does not support Ansible out of the box. However, Adam Mckaig created a Golang project that utilizes the Terraform inventory file to generate a dynamic inventory for Ansible. Here is the GitHub repository for his tool. adammck/terraform-inventory

As shown below, you will notice the local exec provisioner that executes Ansible with a specified Terraform state file. The state file is used to generate a dynamic inventory for Ansible that contains the wordpress server as a member of the wordpress group.

Terraform can also configure firewall policies, or security groups as they are called in AWS, with may cloud service providers. Below is an example of a firewall policy that only allows incoming HTTPS traffic from CloudFlare’s IPv6 address ranges. The idea with this is to prevent rouge actors from trying to bypass the Web Application Firewall (WAF) protecting this site. This also demonstrates a cool feature that a few WAF providers offer, which is the ability to proxy incoming IPv4 requests over IPv6 to the end host server. For this website, Nginx is only configured to listen for HTTPS connections over IPv6 and CloudFlare is not only proxying IPv4 connections, it is also redirecting HTTP requests to use HTTPS.

In order to associate this firewall policy with the DigitalOcean cloud server, you need to specify the droplet id which is generated as the server is deployed. You can see this on line 4.

After the server is deployed, the DNS records are updated so CloudFlare can proxy HTTPS requests to the server. For management purposes, I also configured an IPv6 AAAA record and an IPv4 A record to point directly to the server, bypassing CloudFlare. This is to make logging into the server with SSH easier in the rare event it is necessary for troubleshooting purposes or to inspect anomalies caused by malicious actors.

You will want to make sure that DNS records are created after the server is deployed. To do so, you can specify a the resources that need to be created beforehand using depends_on as demonstrated on lines 9, 18, and 27 of the code snippet below.

Once you have all the resources defined, you deploy them. To do so, you first need to initialize Terraform by running terraform init. Then you need to generate the a deployment plan by running terraform plan -out=wordpress.tfplan. After the plan file has been generated, you can use it to deploy everything by running terraform apply wordpress.tfplan.

If you wish to destroy everything you can generate a plan to destroy the resources you created by running terraform plan -destroy -out=wordpress_down.tfplan. Then you can destroy everything by running terraform apply “wordpress_down.tfplan”.