https://github.com/silasfrancis/secure-aws-internal-platform

A production-grade internal application platform deployed on AWS EC2 using Terraform and Ansible, with strong emphasis on network isolation, zero-trust access, and policy-as-code enforcement across infrastructure and CI.
https://github.com/silasfrancis/secure-aws-internal-platform

ansible aws checkov cicd devops docker ec2 github-actions internal-platform nginx opa platform-engineering policy-as-code private-network secrets-management security-architecture terraform vpn wireguard zero-trust

Last synced: 3 months ago
JSON representation

A production-grade internal application platform deployed on AWS EC2 using Terraform and Ansible, with strong emphasis on network isolation, zero-trust access, and policy-as-code enforcement across infrastructure and CI.

• Host: GitHub
• URL: https://github.com/silasfrancis/secure-aws-internal-platform
• Owner: silasfrancis
• Created: 2026-01-28T23:50:56.000Z (5 months ago)
• Default Branch: dev
• Last Pushed: 2026-02-27T20:04:41.000Z (4 months ago)
• Last Synced: 2026-02-28T00:33:24.159Z (4 months ago)
• Topics: ansible, aws, checkov, cicd, devops, docker, ec2, github-actions, internal-platform, nginx, opa, platform-engineering, policy-as-code, private-network, secrets-management, security-architecture, terraform, vpn, wireguard, zero-trust
• Language: Python
• Homepage:
• Size: 669 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Security: docs/security.md

Awesome Lists containing this project

README

          
# Secure AWS Application Deployment with Ansible, WireGuard, Nginx, and Policy as Code

A production-grade internal application platform deployed on AWS EC2 using Terraform and Ansible, with strong emphasis on network isolation, zero-trust access, and policy-as-code enforcement across infrastructure and CI.

The platform runs a FastAPI backend and React frontend in Docker containers across multiple EC2 instances, fronted by an internal load balancer and accessible **only through a WireGuard VPN**.

---

## Overview

Modern internal platforms must be secure by default, auditable, and fully automated.

This project demonstrates how to build a **locked-down internal application platform on AWS**, where:

- No application is publicly exposed

- Infrastructure changes are policy-validated

- CI pipelines use short-lived credentials

- Configuration management is reproducible and idempotent

It mirrors real-world enterprise patterns for internal tooling, admin platforms, and private services.

---

## Key Features

- Internal-only application access via WireGuard VPN

- Infrastructure provisioning using Terraform

- Configuration management with Ansible (roles & templates)

- Containerized workloads using Docker and Docker Compose

- Internal load balancing with Nginx

- Policy as Code enforcement for IaC and CI

- Secure CI using GitHub OIDC

---

## Architecture Overview

### High-Level Flow

```

Developer

↓

GitHub Actions (OIDC)

↓

Terraform + Policy Checks

↓

AWS Infrastructure (VPC, EC2, ALB, RDS)

↓

Ansible Configuration

↓

Dockerized Applications on EC2

```

### Runtime Traffic Flow

```

Client

↓

WireGuard VPN

↓

Internal Application Load Balancer

↓

Nginx (Internal Routing)

↓

FastAPI / React Containers

↓

RDS (PostgreSQL)

```

---

## Infrastructure & Platform Components

### Networking & Access Control

- Applications are deployed behind an **internal Application Load Balancer**

- No public ingress to application EC2 instances

- Access is restricted to users connected via **WireGuard VPN**

- WireGuard runs on a dedicated EC2 instance

### Application Runtime

- FastAPI backend and React frontend run in Docker containers

- Two EC2 instances host application workloads

- Nginx acts as an internal reverse proxy and load balancer

- Hostname-based routing is used for services

### Configuration Management (Ansible)

Ansible is used to:

- Install Docker and Docker Compose on EC2 instances

- Deploy and manage application containers

- Configure Nginx with templated configs

- Run database migrations from EC2 instances

- Set up WireGuard server and generate client keys

- Enforce consistency using roles and templates

Ansible communicates with EC2 instances using AWS Systems Manager (SSM) instead of SSH. 

This allows configuration management without opening inbound management ports or distributing SSH keys.

Connections are authenticated using IAM roles attached to the EC2 instances.

---

## Security Model

### CI/CD Security

- GitHub Actions uses **OIDC to assume AWS IAM roles**

- No long-lived AWS credentials stored in CI

- AWS Secrets Manager is used to securely fetch Terraform secrets

### Policy as Code

- **Checkov** for static Terraform/IaC scanning

- **OPA** to validate Terraform plan files before apply

- Prevents insecure or non-compliant infrastructure changes

### Application & Image Security

- **Semgrep** for static application code analysis

- **OWASP Dependency Check** for vulnerable dependencies

- **Trivy** for container image vulnerability scanning after build

### Network Security

- No public application endpoints

- VPN-only access via WireGuard

- Internal ALB and private networking

### Instance Access & Management

EC2 instances are managed using AWS Systems Manager (SSM) rather than SSH.

- No SSH keys are generated or distributed

- Port 22 is not exposed on any EC2 instance

- Ansible connects to EC2 instances via SSM using IAM permissions

This significantly reduces the attack surface and eliminates credential sprawl associated with SSH-based access.

---

## CI/CD Pipeline

- Infrastructure provisioning via Terraform

- Policy validation gates before apply

- Container images built and scanned in CI

- Configuration applied via Ansible

- Secrets sourced dynamically using OIDC and AWS Secrets Manager

---

## Repository Structure

```

.

├── .github

│   ├── actions

│   └── workflows

├── ansible

│   └── roles

├── backend

│   ├── fastapi

│   └── postgres_db

├── frontend

│   └── react-recoil

├── policies

│   ├── checkov

│   └── opa

├── terraform

│   ├── aws_modules

│   └── env

├── docs

└── utils

```

### Directory Overview

- `.github/` – CI workflows and reusable GitHub Actions

- `ansible/` – Roles and templates for EC2 configuration

- `terraform/` – AWS infrastructure modules and environments

- `policies/` – Policy-as-code rules (Checkov & OPA)

- `backend/` – FastAPI application and database migrations files

- `frontend/` – React frontend

- `docs/` – Architecture and security documentation

---

## Getting Started (High-Level)

This project is **not a one-click deployment**.

It assumes familiarity with:

- AWS networking & IAM

- Terraform

- Ansible

- Docker

- VPN concepts

High-level steps:

1. Provision AWS infrastructure using Terraform

2. Validate plans using policy-as-code checks

3. Configure EC2 instances using Ansible

4. Deploy WireGuard and generate client configurations

5. Deploy application containers and Nginx routing

6. Access the platform via VPN connection

---

## Limitations & Future Work

- No Kubernetes (intentionally EC2-focused)

- Observability stack not yet implemented

- Automated VPN client provisioning could be improved

---

## Why This Project Matters

This project demonstrates:

- Defense-in-depth cloud security

- Policy-driven infrastructure governance

- Realistic enterprise deployment patterns

- Strong separation of concerns between provisioning and configuration

## Additional Documentation

Detailed architecture and security documentation is provided in the `docs/` directory:

- [`docs/architecture.md`](docs/architecture.md) – System architecture, infrastructure components, and data flows

- [`docs/security.md`](docs/security.md) – Security model, IAM design, policy-as-code enforcement, and threat mitigation