graph TB
    subgraph VPC[VPC 10.0.0.0/16]
        subgraph PublicSubnets[Public Subnets]
            PS1[Public Subnet 1
10.0.1.0/24
us-east-1a]
            PS2[Public Subnet 2
10.0.2.0/24
us-east-1b]
        end

        subgraph ALB[Application Load Balancer]
            LB[ALB
Port 80]
            TG1[Target Group:
auth-tg]
            TG2[Target Group:
ecommerce-tg]
        end

        subgraph ECS[ECS Cluster]
            subgraph AuthService[Auth Service]
                AS[Fargate Tasks
auth-container
nginx:alpine]
            end
            subgraph EcommerceService[Ecommerce Service]
                ES[Fargate Tasks
ecommerce-container
nginx:alpine]
            end
        end

        subgraph SecurityGroups[Security Groups]
            ALBSG[ALB SG
Inbound: 80
Source: 0.0.0.0/0]
            FSG[Fargate SG
Inbound: 80
Source: ALB SG]
        end
    end

    Internet((Internet)) --> IGW[Internet Gateway]
    IGW --> LB

    LB --> |/auth/*| TG1
    LB --> |/ecommerce/*| TG2

    TG1 --> AS
    TG2 --> ES

    ALBSG --> FSG

    PS1 ---- AS & ES
    PS2 ---- AS & ES

    style VPC fill:#f5f5f5,stroke:#333,stroke-width:2px
    style PublicSubnets fill:#e1f5fe,stroke:#333,stroke-width:1px
    style ALB fill:#fff3e0,stroke:#333,stroke-width:1px
    style ECS fill:#e8f5e9,stroke:#333,stroke-width:1px
    style SecurityGroups fill:#fce4ec,stroke:#333,stroke-width:1px
        
graph LR
    B[environments]
    C[modules]

    B --> D[dev]
    B --> E[prod]

    D --> D1[main.tf]
    D --> D2[variables.tf]
    D --> D3[terraform.tfvars]
    D --> D4[provider.tf]
    D --> D5[backend.tf]
    D --> D6[outputs.tf]

    E --> E1[main.tf]
    E --> E2[variables.tf]
    E --> E3[terraform.tfvars]
    E --> E4[provider.tf]
    E --> E5[backend.tf]
    E --> E6[outputs.tf]

    C --> F[ecs]
    C --> G[networking]
    C --> H[rds]
    C --> I[security]

    F --> F1[main.tf]
    F --> F2[variables.tf]
    F --> F3[outputs.tf]
    F --> F4[ecs-cluster.tf]
    F --> F5[ecs-service-product.tf]
    F --> F6[ecs-service-order.tf]
    F --> F7[task-definitions.tf]

    G --> G1[main.tf]
    G --> G2[variables.tf]
    G --> G3[outputs.tf]
    G --> G4[vpc.tf]
    G --> G5[subnets.tf]
    G --> G6[security-groups.tf]
    G --> G7[alb.tf]

    H --> H1[main.tf]
    H --> H2[variables.tf]
    H --> H3[outputs.tf]
    H --> H4[rds-product.tf]
    H --> H5[rds-order.tf]

    I --> I1[main.tf]
    I --> I2[variables.tf]
    I --> I3[outputs.tf]
    I --> I4[iam-roles.tf]
    I --> I5[kms.tf]

Simple Ecommerce


        1. A VPC with two public subnets across different availability zones
        2. An Application Load Balancer that routes traffic based on paths:
        - `/auth/*` routes to the auth service
        - `/ecommerce/*` routes to the ecommerce service
        3. Two ECS Fargate services running nginx containers
        4. Security groups controlling traffic flow:
        - ALB security group allowing inbound HTTP traffic from internet
        - Fargate security group allowing traffic only from the ALB
        5. Internet Gateway providing internet connectivity

        
            
    terraform {
      required_providers {
        aws = {
          source  = "hashicorp/aws"
          version = "~> 5.0"
        }
      }
      required_version = ">= 1.2.0"
    }

    provider "aws" {
      region = "us-east-1"
    }

    ##################
    # VPC + Subnets  #
    ##################

    resource "aws_vpc" "main" {
      cidr_block = "10.0.0.0/16"
      tags = {
        Name = "demo-vpc"
      }
    }

    resource "aws_internet_gateway" "gw" {
      vpc_id = aws_vpc.main.id
      tags = {
        Name = "demo-internet-gateway"
      }
    }

    resource "aws_subnet" "public_1" {
      vpc_id                  = aws_vpc.main.id
      cidr_block             = "10.0.1.0/24"
      map_public_ip_on_launch = true
      availability_zone       = "us-east-1a"
      tags = {
        Name = "demo-public-subnet-1"
      }
    }

    resource "aws_subnet" "public_2" {
      vpc_id                  = aws_vpc.main.id
      cidr_block             = "10.0.2.0/24"
      map_public_ip_on_launch = true
      availability_zone       = "us-east-1b"
      tags = {
        Name = "demo-public-subnet-2"
      }
    }

    resource "aws_route_table" "public" {
      vpc_id = aws_vpc.main.id
      tags = {
        Name = "demo-public-rt"
      }
    }

    resource "aws_route" "public_default_route" {
      route_table_id         = aws_route_table.public.id
      destination_cidr_block = "0.0.0.0/0"
      gateway_id             = aws_internet_gateway.gw.id
    }

    resource "aws_route_table_association" "public_1" {
      subnet_id      = aws_subnet.public_1.id
      route_table_id = aws_route_table.public.id
    }

    resource "aws_route_table_association" "public_2" {
      subnet_id      = aws_subnet.public_2.id
      route_table_id = aws_route_table.public.id
    }

    #######################
    # Security Group (ALB)#
    #######################

    resource "aws_security_group" "alb_sg" {
      name        = "demo-alb-sg"
      description = "ALB security group"
      vpc_id      = aws_vpc.main.id

      ingress {
        description      = "Allow HTTP inbound"
        from_port        = 80
        to_port          = 80
        protocol         = "tcp"
        cidr_blocks      = ["0.0.0.0/0"]
      }

      egress {
        description = "Allow all outbound"
        from_port   = 0
        to_port     = 0
        protocol    = "-1"
        cidr_blocks = ["0.0.0.0/0"]
      }

      tags = {
        Name = "demo-alb-sg"
      }
    }

    ############################
    # Security Group (Fargate) #
    ############################

    resource "aws_security_group" "fargate_sg" {
      name        = "demo-fargate-sg"
      description = "Fargate service security group"
      vpc_id      = aws_vpc.main.id

      # ALB --> Fargate Services
      ingress {
        description            = "Allow inbound from ALB on port 80"
        from_port              = 80
        to_port                = 80
        protocol               = "tcp"
        security_groups        = [aws_security_group.alb_sg.id]
      }

      egress {
        description = "Allow all outbound"
        from_port   = 0
        to_port     = 0
        protocol    = "-1"
        cidr_blocks = ["0.0.0.0/0"]
      }

      tags = {
        Name = "demo-fargate-sg"
      }
    }

    ########################
    # Application LB Setup #
    ########################

    resource "aws_lb" "this" {
      name               = "demo-alb"
      load_balancer_type = "application"
      security_groups    = [aws_security_group.alb_sg.id]
      subnets            = [aws_subnet.public_1.id, aws_subnet.public_2.id]

      tags = {
        Name = "demo-alb"
      }
    }

    resource "aws_lb_target_group" "auth_tg" {
      name        = "tg-auth"
      port        = 80
      protocol    = "HTTP"
      vpc_id      = aws_vpc.main.id
      target_type = "ip"

      health_check {
        path = "/"
        port = "traffic-port"
      }
    }

    resource "aws_lb_target_group" "ecommerce_tg" {
      name        = "tg-ecommerce"
      port        = 80
      protocol    = "HTTP"
      vpc_id      = aws_vpc.main.id
      target_type = "ip"

      health_check {
        path = "/"
        port = "traffic-port"
      }
    }

    resource "aws_lb_listener" "http" {
      load_balancer_arn = aws_lb.this.arn
      port              = "80"
      protocol          = "HTTP"
      default_action {
        type = "fixed-response"
        fixed_response {
          content_type = "text/plain"
          message_body = "404 Not Found"
          status_code  = "404"
        }
      }
    }

    # Path-based routing: /auth/* => auth_tg, /ecommerce/* => ecommerce_tg
    resource "aws_lb_listener_rule" "auth_rule" {
      listener_arn = aws_lb_listener.http.arn
      priority     = 10

      action {
        type             = "forward"
        target_group_arn = aws_lb_target_group.auth_tg.arn
      }

      condition {
        path_pattern {
          values = ["/auth/*"]
        }
      }
    }

    resource "aws_lb_listener_rule" "ecommerce_rule" {
      listener_arn = aws_lb_listener.http.arn
      priority     = 20

      action {
        type             = "forward"
        target_group_arn = aws_lb_target_group.ecommerce_tg.arn
      }

      condition {
        path_pattern {
          values = ["/ecommerce/*"]
        }
      }
    }

    ############################
    # ECS Cluster + IAM + Task #
    ############################

    resource "aws_ecs_cluster" "this" {
      name = "demo-cluster"
    }

    resource "aws_iam_role" "task_execution_role" {
      name               = "demo-ecsTaskExecutionRole"
      assume_role_policy = data.aws_iam_policy_document.ecs_task_execution_role.json
    }

    data "aws_iam_policy_document" "ecs_task_execution_role" {
      statement {
        actions = [
          "sts:AssumeRole",
        ]
        principals {
          type        = "Service"
          identifiers = ["ecs-tasks.amazonaws.com"]
        }
      }
    }

    # Attach AWS managed policy for ECS Task Execution
    resource "aws_iam_role_policy_attachment" "task_execution_attach" {
      policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
      role       = aws_iam_role.task_execution_role.name
    }

    ##########################
    # Auth Service Resources #
    ##########################

    # Minimal Task Definition for the auth service
    resource "aws_ecs_task_definition" "auth" {
      family                   = "auth-task"
      network_mode             = "awsvpc"
      requires_compatibilities = ["FARGATE"]
      cpu                      = 256
      memory                   = 512
      execution_role_arn       = aws_iam_role.task_execution_role.arn

      container_definitions = <