-
Notifications
You must be signed in to change notification settings - Fork 1
docs: Add AWS architecture diagram and documentation #117
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft
killev
wants to merge
48
commits into
main
Choose a base branch
from
create-terraform-configuration
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+4,545
−532
Draft
Changes from 1 commit
Commits
Show all changes
48 commits
Select commit
Hold shift + click to select a range
ce33511
Add AWS architecture diagram and documentation
killev 3fcc647
Migrate infrastructure from MongoDB EC2 to managed services with comp…
killev 196a33b
Standardize Terraform backend configuration and add initialization sc…
killev e5e4b60
Enhance Terraform backend initialization with improved error handling…
killev 45d75c7
Refactor Terraform configuration and remove DynamoDB state locking
killev 0bad9ce
Refactor Terraform configuration and split IAM policies
killev 5f51b9c
Reorganize Terraform IAM policies and simplify Redis configuration
killev a3f4473
Add additional AWS permissions to Terraform core management policy
killev 0ffa8ab
Enhance ECS infrastructure with configurable parameters and auto-scaling
killev a6bd59a
Make Terraform configuration more flexible and configurable
killev e807885
Update Terraform infrastructure configuration and IAM policies - Enha…
killev d824a1d
Update Terraform IAM policies for core and service management
killev aa4b964
Replace auto-generated Redis auth token with user-provided variable
killev 156934d
Enhance AWS infrastructure configuration and S3 setup
killev 37c7f8a
Add bastion host module for secure SSH access to infrastructure
killev b21f767
Improve bastion host configuration and IAM permissions
killev ff1a0d0
Add AWS deployment infrastructure and fix configuration issues
killev 9f1d99d
Add Terraform deployment automation and release tracking
killev e72605e
feat: refactor DocumentDB connection to use separate environment vari…
killev 6d4c974
Improve DocumentDB connection configuration for AWS compatibility
killev 2851747
Update infrastructure configuration and deployment workflow - Update …
killev 5d1a159
Merge commit '0db4fcbe6a3b20651351d3131cb2a51467191b61' into create-t…
killev 5c8bc9e
Standardize environment naming and enhance Terraform configuration
killev 7e5da24
Restructure infrastructure configuration and update CI/CD workflow
killev 1b2fece
Update GitHub workflow for Terraform deployment configuration
killev 15a40d5
Fix GitHub Actions workflow for terraform configuration
killev 4616764
Reorganize deployment configuration into environments structure
killev a53edfa
Fix directory name typo in deployment configuration
killev 283e35b
Fix Terraform configuration and AWS region in deploy workflow
killev 4b67b30
Fix terraform plan output path and enable S3 plan storage
killev 0e79606
Fix Terraform plan file paths in GitHub workflow
killev b400800
Fix AWS region configuration in deployment workflow
killev 88e7564
Simplify GitHub workflow and update ECR repository naming
killev 8b49799
Update Terraform version to 1.12.0 in apply job
killev ad646a3
Fix Terraform lock file consistency issue in GitHub Actions - Add ste…
killev 03a5c5b
Fix duplicate cd command in terraform apply step
killev c2bb29c
Remove duplicate cd deployment command in workflow
killev 9d2154a
Update Docker build step in AWS deployment workflow
killev 797968f
Update Docker build configuration and ignore patterns
killev 50d0594
Simplify ECS secrets configuration in Terraform
killev d21c003
Add AWS environment destruction workflow and documentation
killev 5f884d9
Update wget version to 1.25.0-r1 in Dockerfile
killev b98f1ab
Resolve merge conflicts: keep full implementation and AWS certificate
killev 775bd50
Add conditional approval for AWS environment destruction
killev 168bb71
Add environment specification to destroy workflow jobs
killev a1aced8
Optimize GitHub Actions destroy workflow conditions
killev b59b21d
Fix manual approval conditions in destroy AWS environment workflow
killev 3b5bac3
Add force delete option to ECR repository
killev File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,115 @@ | ||
| # SF Website AWS Architecture | ||
|
|
||
| ## Principal AWS Architecture Diagram | ||
|
|
||
| ```mermaid | ||
| flowchart TB | ||
| %% External actors | ||
| Users[👥 Users] | ||
| GitHub[🐙 GitHub Actions CI/CD] | ||
|
|
||
| %% Public facing components | ||
| ALB[⚖️ Application Load Balancer<br/>sf-website-alb-env<br/>HTTPS Only] | ||
| CF[🌐 CloudFront Distribution<br/>sf-website-media-env<br/>CDN for Media Assets] | ||
|
|
||
| %% Compute layer | ||
| ECS[🚢 ECS Fargate Cluster<br/>sf-website-ecs-cluster-env<br/>Apostrophe CMS App] | ||
| ECR[🐳 ECR Repository<br/>sf-website-ecr-env<br/>Container Images] | ||
|
|
||
| %% Storage layer | ||
| S3_Attachments[🪣 S3 Attachments Bucket<br/>sf-website-s3-attachments-env<br/>Media & Files] | ||
| S3_Logs[🪣 S3 Logs Bucket<br/>sf-website-s3-logs-env<br/>Centralized Logs] | ||
| MongoDB[📄 MongoDB on EC2<br/>sf-website-mongodb-env<br/>t3.medium + 100GB EBS] | ||
|
|
||
| %% Security & Identity | ||
| IAM_Task[👤 ECS Task Role<br/>sf-website-ecs-task-env<br/>S3 Access Permissions] | ||
| IAM_Exec[👤 ECS Execution Role<br/>sf-website-ecs-execution-env<br/>ECR & Parameter Store] | ||
| ParamStore[🔐 Parameter Store<br/>Session Secrets & DB Credentials] | ||
|
|
||
| %% Monitoring & Backup | ||
| CloudWatch[📊 CloudWatch<br/>sf-website-cloudwatch-env<br/>Logs & Metrics] | ||
| AWSBackup[💾 AWS Backup<br/>Daily EBS Snapshots<br/>7 daily, 4 weekly retention] | ||
|
|
||
| %% User flows | ||
| Users -->|HTTPS requests| ALB | ||
| Users -->|Media requests| CF | ||
|
|
||
| %% CI/CD flow | ||
| GitHub -->|Build & Push| ECR | ||
| GitHub -->|Deploy| ECS | ||
|
|
||
| %% Load balancer to application | ||
| ALB -->|Route traffic| ECS | ||
|
|
||
| %% CloudFront to storage | ||
| CF -->|Origin requests| S3_Attachments | ||
|
|
||
| %% ECS relationships | ||
| ECS -->|Pull images| ECR | ||
| ECS -->|Read/Write media| S3_Attachments | ||
| ECS -->|Database operations| MongoDB | ||
| ECS -->|Get secrets| ParamStore | ||
| ECS -->|Send logs| CloudWatch | ||
|
|
||
| %% IAM relationships | ||
| IAM_Task -.->|Assume role| ECS | ||
| IAM_Exec -.->|Assume role| ECS | ||
| IAM_Task -.->|S3 permissions| S3_Attachments | ||
| IAM_Exec -.->|ECR permissions| ECR | ||
| IAM_Exec -.->|Parameter Store| ParamStore | ||
|
|
||
| %% Logging flows | ||
| ALB -->|Access logs| S3_Logs | ||
| CF -->|Access logs| S3_Logs | ||
| S3_Attachments -->|Server logs| S3_Logs | ||
|
|
||
| %% Monitoring | ||
| ECS -->|Metrics & logs| CloudWatch | ||
| ALB -->|Metrics| CloudWatch | ||
| MongoDB -->|System metrics| CloudWatch | ||
|
|
||
| %% Backup | ||
| AWSBackup -->|Snapshot| MongoDB | ||
|
||
|
|
||
| %% Styling | ||
| classDef public fill:#e1f5fe | ||
| classDef compute fill:#f3e5f5 | ||
| classDef storage fill:#e8f5e8 | ||
| classDef security fill:#fff3e0 | ||
| classDef monitoring fill:#fce4ec | ||
|
|
||
| class ALB,CF public | ||
| class ECS,ECR compute | ||
| class S3_Attachments,S3_Logs,MongoDB storage | ||
| class IAM_Task,IAM_Exec,ParamStore security | ||
| class CloudWatch,AWSBackup monitoring | ||
| ``` | ||
|
|
||
| ## Key Architecture Components | ||
|
|
||
| ### 🌐 Public Layer | ||
| - **Application Load Balancer**: HTTPS-only entry point for web traffic | ||
| - **CloudFront**: Global CDN for media asset delivery from S3 | ||
|
|
||
| ### 🚢 Compute Layer | ||
| - **ECS Fargate**: Serverless container hosting for Apostrophe CMS | ||
| - **ECR**: Private container registry for application images | ||
|
|
||
| ### 🪣 Storage Layer | ||
| - **S3 Attachments**: Media files and uploads from CMS | ||
| - **S3 Logs**: Centralized logging for all services | ||
| - **MongoDB on EC2**: Primary database with automated backups | ||
|
|
||
| ### 👤 Security Layer | ||
| - **IAM Roles**: Least-privilege access for ECS tasks | ||
| - **Parameter Store**: Secure storage for secrets and configuration | ||
|
|
||
| ### 📊 Operations Layer | ||
| - **CloudWatch**: Monitoring, metrics, and alerting | ||
| - **AWS Backup**: Automated daily snapshots with retention policies | ||
|
|
||
| ## Environment Isolation | ||
| All resources are tagged and named with environment suffix: | ||
| - `dev`, `staging`, `prod` | ||
| - Complete isolation between environments | ||
| - Consistent naming: `sf-website-<service>-<env>` | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider adding a legend to clarify the significance of dashed arrows (used for IAM relationships) versus solid arrows in the Mermaid diagram for better reader comprehension.