Skip to content

feat(#503): implement infrastructure as code with Terraform#578

Open
Mystery-CLI wants to merge 1 commit into
BrainTease:mainfrom
Mystery-CLI:feat/503-terraform-iac
Open

feat(#503): implement infrastructure as code with Terraform#578
Mystery-CLI wants to merge 1 commit into
BrainTease:mainfrom
Mystery-CLI:feat/503-terraform-iac

Conversation

@Mystery-CLI
Copy link
Copy Markdown
Contributor

@Mystery-CLI Mystery-CLI commented May 30, 2026

Closes #503

Summary

  • VPC & Networking — VPC with 2 public/private subnets, NAT gateways, Internet Gateway, and optional VPC flow logs
  • RDS PostgreSQL 16.3 — gp3 encrypted storage, enhanced monitoring, Performance Insights (prod), Multi-AZ support, deletion protection
  • ElastiCache Redis 7.1 — replication group with at-rest/in-transit encryption, Multi-AZ in prod, CloudWatch slow-log delivery; fixes deprecated replication_group_description argument
  • ECS Fargate — cluster with Container Insights + FARGATE_SPOT, deployment circuit breakers, Secrets Manager injection for DB/JWT/Stellar credentials, ECS Execute Command in non-prod
  • ALB — path-based routing (/api/* → backend, default → frontend), access logs to S3, optional HTTPS with TLS 1.3, HTTP→HTTPS redirect
  • ECR (new module) — backend & frontend repos with image scanning, lifecycle policies, IAM policies for ECS pull and GitHub Actions push
  • Auto-scaling (new module) — CPU and memory target-tracking policies for both services; CloudWatch alarms for high utilization
  • Security groups — all use the parameterised vpc_cidr output instead of hardcoded 10.0.0.0/16
  • IAM roles — ECS execution role extended with Secrets Manager and KMS access; task role with least-privilege CloudWatch + ECR policies
  • root config — complete variables.tf with environment validation, updated outputs.tf with ECR URLs and secret ARNs, comprehensive terraform.tfvars.example, updated README with architecture diagram and two-step bootstrap guide

Test plan

  • terraform init succeeds with the S3/DynamoDB backend
  • terraform validate passes with no errors
  • terraform plan -var-file=terraform.tfvars shows expected resource count (no unexpected diffs)
  • terraform apply on a fresh dev environment provisions all resources
  • ECS services reach ACTIVE state and health checks pass
  • ALB routes /api/health to the backend target group
  • Frontend container receives NEXT_PUBLIC_API_URL from api_base_url variable
  • GitHub Actions OIDC role authenticates successfully from the workflow
  • ECR push succeeds using the OIDC role
  • Auto-scaling policies appear in the AWS console

🤖 Generated with Claude Code

@Mystery-CLI @claude
feat(BrainTease#503): implement infrastructure as code with Terraform
d467e4e 
Complete AWS IaC covering all required components for the Brain Storm platform:

VPC & Networking
- VPC with 2 public and 2 private subnets across AZs
- NAT gateways, route tables, Internet Gateway
- VPC flow logs with CloudWatch (enable_flow_logs variable)

RDS PostgreSQL
- PostgreSQL 16.3 on gp3 encrypted storage with auto-scaling
- Enhanced monitoring (60s interval), Performance Insights in prod
- Multi-AZ support (rds_multi_az variable), deletion protection in prod
- IAM role for enhanced monitoring agent

ElastiCache Redis
- Redis 7.1 replication group with encryption at rest and in transit
- Fixes deprecated replication_group_description → description
- Multi-AZ and automatic failover enabled in prod; single node in dev/staging
- CloudWatch slow-log delivery

ECS Fargate
- Cluster with Container Insights, FARGATE + FARGATE_SPOT capacity providers
- Backend and frontend Fargate services with deployment circuit breakers
- Secrets Manager injection for DB password, JWT, and Stellar key
- ECS Execute Command enabled in non-prod for debugging
- lifecycle { ignore_changes } on task_definition and desired_count for CI/CD

ALB
- Internet-facing ALB with access logs to S3
- Path-based routing: /api/*, /health, /v1/* → backend; default → frontend
- Optional HTTPS listener with TLS 1.3 policy; HTTP→HTTPS redirect when cert provided
- alb_security_group_id output for downstream use

ECR (new module)
- Backend and frontend repositories with image scanning on push
- Lifecycle policies: retain 10 tagged images, expire untagged after 14 days
- Repository policies granting ECS pull and GitHub Actions push access

Auto-scaling (new module)
- Application Auto Scaling targets for both ECS services
- CPU (70%) and memory (80%) target-tracking policies
- CloudWatch alarms for high CPU on each service
- Configurable min/max capacity per service

Security Groups & IAM
- All security groups use parameterised vpc_cidr instead of hardcoded 10.0.0.0/16
- ECS execution role extended with secretsmanager:GetSecretValue and kms:Decrypt
- ECS task role with least-privilege CloudWatch Logs and ECR pull permissions

Other
- Root main.tf wires all modules including new ECR and autoscaling
- Complete variables.tf with validation on environment values
- Comprehensive outputs.tf with ECR repo URLs and secrets ARNs
- Updated terraform.tfvars.example documenting every variable
- Updated README with architecture diagram and two-step bootstrap guide

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@drips-wave
Copy link
Copy Markdown

drips-wave Bot commented May 30, 2026

@Mystery-CLI Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[DevOps] Create infrastructure as code (Terraform)

1 participant

@Mystery-CLI