Infrastructure

You can consider this a very short introduction. A place to learn something about what you don’t know, where to look, and what questions to ask.

Our infrastructure is almost all declaratively defined in infra, using a combination of OpenTofu and Terragrunt.

AWS

AWS hosts almost everything that is in use.

Infrastructure should be segmented at the account level by customer. Meaning, e.g. the customers/ulster account is completely distinct from the customers/eugene account. Internal resources are in accounts that start with internal/.

Aggregator and Prod are legacy. They continue to host infrastructure, but should not be used for new things.

Infra contains a roster.hcl file that outlines which users get access to which accounts at which roles.

A production deployment uses:

  • ECS for the BE

  • S3 + Cloudfront for the FE

  • The rendering service, OPA, and grafana alloy are deployed via sidecars to the BE.

  • A serverless Aurora cluster serves as the BE

  • The entire setup is regionally resilient (at the DNS layer)

A demo or preview deployment (anything that uses the fsh previews CLI) is simply an EC2 instance running docker compose.

AWS handles much of its own routing through Route53, in zones that have been delegated to it by Cloudflare.

Cloudflare

Cloudflare is used for three things:

  • DNS

  • Internal docs hosting (their pages setup is very simple)

  • Access

    • What makes a demo deployment private

All DNS is controlled via terraform.

Grafana

Our Grafana instance.

Application observability is in Grafana. This is automatically setup in the stack, and can be enabled in the jsonnet declarative configuration files.