Aws architecture upates by ekremarmagankarakas · Pull Request #104 · KhourySpecialProjects/ExamEngine

ekremarmagankarakas · 2026-04-08T03:52:11Z

AWS infrastructure and CI/CD updates made. Not yet applied to a live environment

See docs/MIGRATE_INFRA.md for the deployment guide.

VPC — Custom VPC with private subnets for ECS/RDS, NAT gateways, VPC endpoints for S3/ECR/Secrets Manager
Credentials — OIDC for GitHub Actions, IAM task role for ECS. Removed long-lived AWS keys from application
Secrets Manager — DATABASE_URL (auto-constructed from RDS endpoint) and SECRET_KEY removed from plaintext env vars
RDS — Encryption at rest, 7-day backups, final snapshot on destroy
Route53 + ACM — Hosted zone and TLS certificate fully managed by Terraform
Terraform — Restructured into a reusable module with separate prod/staging roots and state backends
CI/CD — New workflows replacing the old ones; deploys use OIDC and read config from SSM
Bug fixes — Dockerfile healthcheck was pointing to /docs (disabled in prod); backend required unused AWS credential fields that would have caused ECS startup failures

Before deploying (Merging)

Create ECR repos and Terraform state buckets in each AWS account
Run terraform apply in prod and staging
Update nameservers at domain registrar
Add AWS_GITHUB_ACTIONS_ROLE_ARN_PROD and AWS_GITHUB_ACTIONS_ROLE_ARN_STAGING to GitHub secrets
Remove old AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY secrets from GitHub

…rotocol

- Add /health endpoint for ALB and ECS health checks - Disable /docs and /redoc when ENVIRONMENT=production - Update ALB target group and ECS container health checks from /docs to /health

- Move all .tf files into modules/examengine/ (history preserved via git mv) - Add environments/staging/ and environments/prod/ with separate backends and tfvars - Parameterize domain_name to replace hardcoded prod domain in acm.tf and output.tf - Update .gitignore to catch terraform.tfvars in subdirectories

…rces - Replace ACM data source with resource — cert created and DNS-validated via Route53 automatically on terraform apply - Add deploy_branch variable to scope OIDC trust policy per environment (main → prod, staging → staging) so accounts cannot cross-deploy - Remove dead aws_ecs_service and aws_ecs_cluster data sources leftover from old CI/CD IAM user

ekremarmagankarakas added 18 commits February 15, 2026 17:43

vpc added to terraform

7fdfc15

Migrate to OIDC auth and Secrets Manager for credentials

40c6cfc

Fix HTTP to HTTPS redirect on ALB and correct FRONTEND_URL fallback p…

8e6be1f

…rotocol

RDS encryption added

570eea3

Add /health endpoint and disable Swagger docs in production

803cef5

- Add /health endpoint for ALB and ECS health checks - Disable /docs and /redoc when ENVIRONMENT=production - Update ALB target group and ECS container health checks from /docs to /health

Add vpc endpoint for secrets manager

ca00ce0

Add Route53 hosted zone and ALB alias record per environment

f963e67

actions updated for new infrastructure

e46cb9d

Removed aws credentials from backend app

2406e09

AWS documentation updated

36c0db8

AWS rds database url is built from secrets

19b11c3

Merge branch 'main' into aws-architecture-upates

9567617

fix: CICD references root package-lock and start tracking uv.lock

0b16227

NPM package updates

dd93e4d

CICD e2e tests added

5b8fa70

CICD Add path limits

cecadb0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Aws architecture upates#104

Aws architecture upates#104
ekremarmagankarakas wants to merge 18 commits into
mainfrom
aws-architecture-upates

ekremarmagankarakas commented Apr 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

ekremarmagankarakas commented Apr 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant