Throughout this article, we will be using the following short names.<\/p>\n
- \n
- ALB<\/strong> – Application load balancer<\/li>\n
- ASG<\/strong> – Autoscaling Group<\/li>\n<\/ol>\n
Note:<\/strong> If you are not aware of AWS Load Balancer <\/a>and Autoscaling Group concepts, we suggest you understand it before following this setup.<\/p><\/blockquote>\n
Prerequisites<\/h2>\n
To follow this guide you need to have the following.<\/p>\n
- \n
- The latest Terraform binary is installed and configured in your system.<\/li>\n
- AWS CLI<\/a> is installed and configured with a valid AWS account with permission to deploy the autoscaling group and application load balancer.<\/li>\n
- If you are using an ec2 instance to run Terraform, ensure you attach an IAM role<\/a> with permission to create ASG and ALB.<\/li>\n<\/ol>\n
Setup Architecture & Overview<\/h2>\n
Here is the high-level architecture of the setup we are going to create.<\/p>\n
![\"Terraform](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/lb-asg-workflow-1.gif\")
Click to View in HD<\/span><\/figcaption><\/figure>\n Here is the high-level overview of the AWS resources and components created by this setup.<\/p>\n
- \n
- IAM role<\/strong> with required policies and the role is attached to an IAM instance profile<\/a> which will be then attached to every instance that is part of the autoscaling group.<\/li>\n
- The auto-scaling group<\/strong> manages a specified number of instances and uses the launch template<\/strong> with the required configurations to launch an instance.<\/li>\n
- Application load balancers send traffic to the ASG instances. It creates a target group<\/strong> and creates an LB listener<\/strong> that listens to port 80 for HTTP traffic and forwards it to the specified target group(ASG)<\/strong> to distribute traffic.<\/li>\n
- Health checks<\/strong> are added to instances in the target group to check the status of the instance. If the instance health check fails, it destroys the instance and launches a new instance. Once the new instance is in a healthy state, the application load balancer will then forward the traffic to the newly launched instance.<\/li>\n<\/ol>\n
We have separate security groups<\/strong> for ALB and ASG EC2 instances. For ASG, traffic on port 8080<\/strong> will be accepted only from the ALB. We achieve this by adding the security group ID of the ALB as the source<\/strong> traffic for the ASG security group. Also, we allow port 22 access only from a specific subnet.<\/p>\n
Here is a high-level view of how ALB and ASG security groups are designed.<\/p>\n
![\"AWS](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/asg-sg-workflow-1.gif\")
Click to View in HD<\/span><\/figcaption><\/figure>\n Terraform ALB and ASG Code Repository<\/h2>\n
ALB and ASG terraform code is a part of the terraform AWS<\/a> repository. Clone it to your workstation to follow the guide.<\/p>\n
git clone https:\/\/github.com\/techiescamp\/terraform-aws.git<\/code><\/pre>\nFork and clone the repository if you intend to reuse and make changes as per your requirements.<\/p>\n
Note:<\/strong> When using Terraform in production, it has to go through the infra-CI review process using tools like Tflint, Terratest, Checkov, etc.<\/p><\/blockquote>\n
Terraform AWS ALB and ASG Provisioning Workflow<\/h2>\n
![\"Terraform](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/alb-asg-workflow-1.gif\")
Click to View in HD<\/span><\/figcaption><\/figure>\n The ALB and ASG terraform script is structured in the following way.<\/p>\n
\u251c\u2500\u2500 apps\n\u2502 \u251c\u2500\u2500 alb-asg\n\u2502 \u2502 \u251c\u2500\u2500 main.tf\n\u2502 \u2502 \u251c\u2500\u2500 outputs.tf\n\u2502 \u2502 \u2514\u2500\u2500 variables.tf\n\u251c\u2500\u2500 infra\n\u2502 \u2514\u2500\u2500 iam-policies\n\u2502 \u2514\u2500\u2500 alb-asg.json\n\u251c\u2500\u2500 modules\n\u2502 \u251c\u2500\u2500 asg\n\u2502 \u2502 \u251c\u2500\u2500 main.tf\n\u2502 \u2502 \u251c\u2500\u2500 outputs.tf\n\u2502 \u2502 \u2514\u2500\u2500 variables.tf\n\u2502 \u251c\u2500\u2500 iam-policy\n\u2502 \u2502 \u251c\u2500\u2500 main.tf\n\u2502 \u2502 \u251c\u2500\u2500 outputs.tf\n\u2502 \u2502 \u2514\u2500\u2500 variables.tf\n\u2502 \u251c\u2500\u2500 alb\n\u2502 \u2502 \u251c\u2500\u2500 main.tf\n\u2502 \u2502 \u251c\u2500\u2500 outputs.tf\n\u2502 \u2502 \u2514\u2500\u2500 variables.tf\n\u2502 \u2514\u2500\u2500 security-group\n\u2502 \u251c\u2500\u2500 main.tf\n\u2502 \u251c\u2500\u2500 outputs.tf\n\u2502 \u2514\u2500\u2500 variables.tf\n\u2514\u2500\u2500 vars\n \u2514\u2500\u2500 dev\n \u2514\u2500\u2500 alb-asg.tfvars<\/code><\/pre>\nvars<\/strong><\/code> folder contains the variables file namedalb-asg.tfvars<\/code><\/p>\nappsalb-asg<\/strong><\/code> folder contains the parent terraform module (main.tf<\/code>) that calls the child modules under themodules<\/code><\/strong> folder<\/p>\ninfra\/iam-policies<\/code><\/strong> contains the IAM JSON policy document namedalb-asg.json<\/code><\/strong> that will be added to the Instance Profile.<\/p>\nThe child modules contain the following resources<\/p>\n
- \n
- IAM Role:<\/strong> For ec2 instance in the autoscaling group to access other AWS services.<\/li>\n
- Security Group: <\/strong>To allow & deny access to\/from the load balancer and ec2 instance.<\/li>\n
- Load Balancer:<\/strong> It distributes incoming traffic to EC2 instances using the Round Robin <\/strong>algorithm.<\/li>\n
- Target Group:<\/strong> To evenly distribute traffic throughout a collection of EC2 instances.<\/li>\n
- Listener: <\/strong>It monitors incoming requests on a certain port and notifies the target group.<\/li>\n
- Auto Scaling Group:<\/strong> It automatically scales EC2 instances based on demand, which maintains application availability and also keeps track of instance health, and replaces failing instances.<\/li>\n
- Launch Template:<\/strong> A template that contains the AMI details, keypair, etc. This template will be applied to the autoscaling group instances.<\/li>\n<\/ol>\n
Application AMI<\/h2>\n
For this demo, we will be using a Java application AMI that runs on port 8080. You need an AMI with some application running to deploy it in the autoscaling group.<\/p>\n
If you want to use the same AMI we have used in this guide, you can use the AMI id
ami-020f3ca563c92097b<\/code><\/strong> in the us-west-2 region that we have made public.<\/p>\nIf you want to create the same AMI, you can refer to the Build Java Application AMI<\/a> blog for detailed steps to build the AMI using Packer.<\/p>\n
Provisioning ASG and ALB Using Terraform<\/h2>\n
This demo is based on the following values<\/p>\n
- \n
- Region<\/strong>: us-west-2<\/li>\n
- Public AMI ID<\/strong> (Java Application):
ami-020f3ca563c92097b<\/code><\/li>\n<\/ol>\nFollows the steps given below to provision the autoscaling group with an application load balancer.<\/p>\n
Step 1: Modify the ALB and ASG variables<\/h3>\n
Open the
alb-asg.tfvars<\/code><\/strong> file present in the vars\/dev<\/strong> folder.<\/p>\nYou need to modify the variables marked in bold as per your requirements.<\/p>\n
region = \"us-west-2\"\n\n# alb\ninternal = false\nloadbalancer_type = \"application\"\nalb_subnets = [\"subnet-058a7514ba8adbb07\", \"subnet-0dbcd1ac168414927\", \"subnet-032f5077729435858\"]\n\n#alb-sg\nalb_ingress_cidr_from_port = [80]\nalb_ingress_cidr_to_port = [80]\nalb_ingress_cidr_protocol = [\"tcp\"]\nalb_ingress_cidr_block = [\"0.0.0.0\/0\"]\nalb_create_ingress_cidr = true\n\nalb_ingress_sg_from_port = [8080]\nalb_ingress_sg_to_port = [8080]\nalb_ingress_sg_protocol = [\"tcp\"]\nalb_create_ingress_sg = false\n\nalb_egress_cidr_from_port = [0]\nalb_egress_cidr_to_port = [0]\nalb_egress_cidr_protocol = [\"-1\"]\nalb_egress_cidr_block = [\"0.0.0.0\/0\"]\nalb_create_egress_cidr = true\n\nalb_egress_sg_from_port = [0]\nalb_egress_sg_to_port = [0]\nalb_egress_sg_protocol = [\"-1\"]\nalb_create_egress_sg = false\n\n# instance sg\ningress_cidr_from_port = [22]\ningress_cidr_to_port = [22]\ningress_cidr_protocol = [\"tcp\"]\ningress_cidr_block = [\"0.0.0.0\/0\"]\ncreate_ingress_cidr = true\n\ningress_sg_from_port = [8080]\ningress_sg_to_port = [8080]\ningress_sg_protocol = [\"tcp\"]\ncreate_ingress_sg = true\n\negress_cidr_from_port = [0]\negress_cidr_to_port = [0]\negress_cidr_protocol = [\"-1\"]\negress_cidr_block = [\"0.0.0.0\/0\"]\ncreate_egress_cidr = true\n\negress_sg_from_port = [8080]\negress_sg_to_port = [8080]\negress_sg_protocol = [\"tcp\"]\ncreate_egress_sg = false\n\n# target_group\ntarget_group_port = 8080\ntarget_group_protocol = \"HTTP\"\ntarget_type = \"instance\"\nload_balancing_algorithm = \"round_robin\"\n\n# health_check\nhealth_check_path = \"\/\"\nhealth_check_port = 8080\nhealth_check_protocol = \"HTTP\"\nhealth_check_interval = 30\nhealth_check_timeout = 5\nhealth_check_healthy_treshold = 2\nhealth_check_unhealthy_treshold = 2\n\n#alb_listener\nlistener_port = 80\nlistener_protocol = \"HTTP\"\nlistener_type = \"forward\"\n\n#launch_template\nami_id = \"ami-020f3ca563c92097b\"\ninstance_type = \"t2.medium\"\nkey_name = \"techiescamp\"\nvpc_id = \"vpc-0a5ca4a92c2e10163\"\nasg_subnets = [\"subnet-058a7514ba8adbb07\", \"subnet-0dbcd1ac168414927\", \"subnet-032f5077729435858\"]\npublic_access = true\n\n#user_data\nuser_data = <<-EOF\n #!\/bin\/bash\n bash \/home\/ubuntu\/start.sh\n EOF\n\n#autoscaling_group\nmax_size = 2\nmin_size = 1\ndesired_capacity = 1\npropagate_at_launch = true\ninstance_warmup_time = 30\ntarget_value = 50\n\n#tags\nowner = \"techiescamp\"\nenvironment = \"dev\"\ncost_center = \"techiescamp-commerce\"\napplication = \"java-app\"\n<\/code><\/pre>\nStep 2: Initialize terraform<\/h3>\n
Once the variables are modified as per your requirements, cd into
apps\/alb-asg<\/code><\/strong> directory.<\/p>\ncd apps\/alb-asg<\/code><\/pre>\nInside the alb-asg<\/strong> folder, you can find the main.tf<\/strong> parent module where it calls the load balancer, auto-scaling group, and IAM policy child modules present in the modules directory as shown below.<\/p>\n
provider \"aws\" {\n region = var.region\n}\n\nmodule \"iam-policy\" {\n source = \"..\/..\/..\/modules\/iam-policy\"\n owner = var.owner\n environment = var.environment\n cost_center = var.cost_center\n application = var.application\n}\n\nmodule \"alb-sg\" {\n source = \"..\/..\/..\/modules\/security-group\"\n region = var.region\n tags = var.tags\n name = \"${var.environment}-${var.application}\"\n environment = var.environment\n owner = var.owner\n cost_center = var.cost_center\n application = \"${var.application}-alb\"\n vpc_id = var.vpc_id\n\n ingress_cidr_from_port = var.alb_ingress_cidr_from_port\n ingress_cidr_to_port = var.alb_ingress_cidr_to_port\n ingress_cidr_protocol = var.ingress_cidr_protocol\n ingress_cidr_block = var.alb_ingress_cidr_block\n create_ingress_cidr = var.alb_create_ingress_cidr\n\n ingress_sg_from_port = var.alb_ingress_sg_from_port\n ingress_sg_to_port = var.alb_ingress_sg_to_port\n ingress_sg_protocol = var.alb_ingress_sg_protocol\n ingress_security_group_ids = var.ingress_security_group_ids\n create_ingress_sg = var.alb_create_ingress_sg\n\n egress_cidr_from_port = var.alb_egress_cidr_from_port\n egress_cidr_to_port = var.alb_egress_cidr_to_port\n egress_cidr_protocol = var.alb_egress_cidr_protocol\n egress_cidr_block = var.alb_egress_cidr_block\n create_egress_cidr = var.alb_create_egress_cidr\n\n egress_sg_from_port = var.alb_egress_sg_from_port\n egress_sg_to_port = var.alb_egress_sg_to_port\n egress_sg_protocol = var.alb_egress_sg_protocol\n egress_security_group_ids = var.egress_security_group_ids\n create_egress_sg = var.alb_create_egress_sg\n}\n\nmodule \"alb\" {\n source = \"..\/..\/..\/modules\/alb\"\n region = var.region\n internal = var.internal\n loadbalancer_type = var.loadbalancer_type\n vpc_id = var.vpc_id\n alb_subnets = var.alb_subnets\n target_group_port = var.target_group_port\n target_group_protocol = var.target_group_protocol\n target_type = var.target_type\n load_balancing_algorithm = var.load_balancing_algorithm\n health_check_path = var.health_check_path\n health_check_port = var.health_check_port\n health_check_protocol = var.health_check_protocol\n health_check_interval = var.health_check_interval\n health_check_timeout = var.health_check_timeout\n health_check_healthy_treshold = var.health_check_healthy_treshold\n health_check_unhealthy_treshold = var.health_check_unhealthy_treshold\n listener_port = var.listener_port\n listener_protocol = var.listener_protocol\n listener_type = var.listener_type\n owner = var.owner\n environment = var.environment\n cost_center = var.cost_center\n application = var.application\n security_group_ids = module.alb-sg.security_group_ids\n}\n\nmodule \"instance-sg\" {\n source = \"..\/..\/..\/modules\/security-group\"\n region = var.region\n tags = var.tags\n name = \"${var.environment}-${var.application}\"\n environment = var.environment\n owner = var.owner\n cost_center = var.cost_center\n application = var.application\n vpc_id = var.vpc_id\n\n ingress_cidr_from_port = var.ingress_cidr_from_port\n ingress_cidr_to_port = var.ingress_cidr_to_port\n ingress_cidr_protocol = var.ingress_cidr_protocol\n ingress_cidr_block = var.ingress_cidr_block\n create_ingress_cidr = var.create_ingress_cidr\n\n ingress_sg_from_port = var.ingress_sg_from_port\n ingress_sg_to_port = var.ingress_sg_to_port\n ingress_sg_protocol = var.ingress_sg_protocol\n ingress_security_group_ids = module.alb-sg.security_group_ids\n create_ingress_sg = var.create_ingress_sg\n\n egress_cidr_from_port = var.egress_cidr_from_port\n egress_cidr_to_port = var.egress_cidr_to_port\n egress_cidr_protocol = var.egress_cidr_protocol\n egress_cidr_block = var.egress_cidr_block\n create_egress_cidr = var.create_egress_cidr\n\n egress_sg_from_port = var.egress_sg_from_port\n egress_sg_to_port = var.egress_sg_to_port\n egress_sg_protocol = var.egress_sg_protocol\n egress_security_group_ids = module.alb-sg.security_group_ids\n create_egress_sg = var.create_egress_sg\n}\n\nmodule \"asg\" {\n source = \"..\/..\/..\/modules\/asg\"\n ami_id = var.ami_id\n instance_type = var.instance_type\n key_name = var.key_name\n vpc_id = var.vpc_id\n asg_subnets = var.asg_subnets\n public_access = var.public_access\n user_data = var.user_data\n max_size = var.max_size\n min_size = var.min_size\n desired_capacity = var.desired_capacity\n propagate_at_launch = var.propagate_at_launch\n owner = var.owner\n environment = var.environment\n cost_center = var.cost_center\n application = var.application\n instance_warmup_time = var.instance_warmup_time\n target_value = var.target_value\n alb_target_group_arn = module.alb.alb_target_group_arn\n iam_role = module.iam-policy.iam_role\n security_group_ids = module.instance-sg.security_group_ids\n tags = {\n Owner = \"${var.owner}\"\n Environment = \"${var.environment}\"\n Cost_center = \"${var.cost_center}\"\n Application = \"${var.application}\"\n }\n}\n\n<\/code><\/pre>\nInitialize Terraform using the following command<\/p>\n
terraform init<\/code><\/pre>\nThis command initializes terraform. Make sure to run the init command inside the environments\/dev\/alb-asg<\/strong> directory.<\/p>\n
Step 3: Validate Configurations<\/h3>\n
Validate terraform configs using the validate command.<\/p>\n
terraform validate<\/code><\/pre>\nStep 4: Execute the configuration plan<\/h3>\n
To verify the configurations, run terraform plan with the variable file.<\/p>\n
terraform plan -var-file=..\/..\/..\/vars\/dev\/alb-asg.tfvars<\/code><\/pre>\nStep 5:<\/strong> Apply the configuration<\/h3>\n
After verifying, apply the configurations using the command given below.<\/p>\n
terraform apply -var-file=..\/..\/..\/vars\/dev\/alb-asg.tfvars --auto-approve<\/code><\/pre>\nOnce the code is successfully executed, check if everything in the Terraform code is provisioned by visiting the AWS console.<\/p>\n
If you have used the AMI id we provided, the load balancer URL should give the webpage as shown below.<\/p>\n
![\"AWS](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-2-42.png\")
<\/figure>\nCheck if the auto-scaling group is working by terminating the instance, if it launches a new instance automatically it means it is working as expected.<\/p>\n
It takes approximately 30 seconds to launch a new instance.<\/p>\n
Step 6: Cleanup<\/h3>\n
To clean up the setup, use the following command.<\/p>\n
terraform destroy -var-file=..\/..\/..\/vars\/dev\/alb-asg.tfvars<\/code><\/pre>\nNote<\/strong>: There are many parameters supported by the autoscaling group and application load balancer resources. If you want to deploy these for production use cases, please refer to the official documentation and design a solution that complies with security and availability as per organizational standards. Refer to terraform official aws_autoscaling_group<\/a> and aws_lb<\/a> to know about all the supported parameters.<\/p><\/blockquote>\n
Conclusion<\/h2>\n
In this guide, we looked at terraform autoscaling groups and application load balancer provisioning.<\/p>\n
When using Autoscaling groups and load balancers for production, you must consider security, availability, <\/strong>cloudwatch logging<\/strong><\/a>, scalability, and <\/strong>monitoring<\/strong><\/a>. Whether you are using a community module or a custom terraform AWS module, ensure you follow the organization\u2019s standards.<\/p>\n
You can also check out our guide on provisioning RDS using Terraform<\/a>.<\/p>\n
\n - Public AMI ID<\/strong> (Java Application):
- Security Group: <\/strong>To allow & deny access to\/from the load balancer and ec2 instance.<\/li>\n
- The auto-scaling group<\/strong> manages a specified number of instances and uses the launch template<\/strong> with the required configurations to launch an instance.<\/li>\n
- If you are using an ec2 instance to run Terraform, ensure you attach an IAM role<\/a> with permission to create ASG and ALB.<\/li>\n<\/ol>\n
- ASG<\/strong> – Autoscaling Group<\/li>\n<\/ol>\n