rl-docs-hub

Home · Apps · rl-bank-mvp · rl-main-infra · todo_api · todo_mobile

---

Architecture

Recommended target architecture

flowchart TB
  Users[Customers + Merchant Portal Users]
  Auth0[Auth0 Tenant]

  subgraph Edge[Edge / Public]
    CFWeb[CloudFront\ncustomer web]
    CFMp[CloudFront\nmerchant portal]
    WAF[WAF optional phase 2]
  end

  subgraph AWS[AWS ap-southeast-1 / account 982233224911]
    subgraph VPC[VPC]
      ALB[Public ALB\napi.bank.example]
      ECS[ECS Fargate Service\nrl-bank-api]
      Cache[ElastiCache Serverless\nValkey]
      DB[(External DB via DB_URI\nor managed DB later)]
      SM[Secrets Manager]
      SSM[SSM Parameter Store]
      CW[CloudWatch Logs + Alarms]
    end

    S3Web[S3 bucket\ncustomer app build]
    S3Mp[S3 bucket\nmerchant portal build]
    ECR[ECR repo\nrl-bank-api]
    ACMEdge[ACM us-east-1\nCloudFront certs]
    ACMAlb[ACM ap-southeast-1\nALB cert]
    R53[Route53 Hosted Zone]
  end

  Users --> CFWeb
  Users --> CFMp
  Users --> ALB
  CFWeb --> S3Web
  CFMp --> S3Mp
  Users -. login .-> Auth0
  CFWeb -. tokens .-> Auth0
  CFMp -. tokens .-> Auth0
  ALB --> ECS
  ECS --> Cache
  ECS --> DB
  ECS --> Auth0
  ECS --> SM
  ECS --> SSM
  ECS --> CW
  ECS --> ECR
  R53 --> CFWeb
  R53 --> CFMp
  R53 --> ALB
  ACMEdge --> CFWeb
  ACMEdge --> CFMp
  ACMAlb --> ALB
  WAF -. attach later .-> CFWeb
  WAF -. attach later .-> CFMp

PBX / telephony note

If the fake-bank MVP exposes PBX telephony, voice-bot, or IVR entry points, treat those as part of the product safety surface rather than just an ops detail.

The standing documentation rule is:

• maintain two PBX script variants:
  • authorised/internal callers → internal script path may omit the fake-bank disclaimer
  • all other callers → explicit fake-bank / experimentation / hobbyist disclaimer required
• any external/public number should use the disclaimer-bearing variant by default
• callers should be warned not to share real banking details or sensitive personal information

See PBX IVR / Call Script for the canonical wording and routing guidance.

Domain and TLS assumptions

Assume one hosted zone already exists or will be created in Route53. Suggested public names:

• api.<bank-domain> → ALB for rl-bank-api
• app.<bank-domain> → CloudFront for rl-bank-webapp
• merchant.<bank-domain> → CloudFront for rl-bank-mp-webapp

TLS assumptions:

• CloudFront certificates must live in us-east-1.
• ALB certificate must live in ap-southeast-1.
• Use Route53 alias records for ALB and CloudFront.
• Force HTTPS at CloudFront and ALB listeners.

Auth0 callback/logout/web origin assumptions:

• Customer app allowed callback/logout/web origins include https://app.<bank-domain>
• Merchant portal allowed callback/logout/web origins include https://merchant.<bank-domain>
• API audience should match an Auth0 API such as https://api.<bank-domain>

AWS services required for MVP

For rl-bank-api

• ECR — store API container image
• ECS Fargate — run NestJS API without EC2 ops burden
• Application Load Balancer — public ingress, TLS termination, health checks
• Target Group — route to API container
• CloudWatch Logs — container logs
• CloudWatch Alarms — 5xx, unhealthy targets, CPU/memory, log-based alarms if desired
• Secrets Manager — secrets and credentials
• SSM Parameter Store — non-secret app config
• ElastiCache Serverless (Valkey) — backs CACHE_URI
• Route53 — DNS for API hostname
• ACM — ALB TLS certificate

For rl-bank-webapp

• S3 — host built Flutter web assets
• CloudFront — TLS, caching, SPA/web delivery
• Route53 — DNS alias
• ACM in us-east-1 — edge certificate
• Optional later: WAFv2 attached to CloudFront

For rl-bank-mp-webapp

• S3 — host built Vite assets
• CloudFront — TLS, caching, SPA delivery
• Route53 — DNS alias
• ACM in us-east-1 — edge certificate
• Optional later: WAFv2 attached to CloudFront

Network model

Reuse the rl-main-infra production VPC patterns where possible.

Public tier

• ALB in at least 2 public subnets across 2 AZs

Private app tier

• ECS service tasks in private subnets, assignPublicIp=false
• outbound internet via NAT if the API must reach Auth0, Sentry, Mailgun, Twilio, Firebase, etc.

Data/cache tier

• ElastiCache access allowed only from the API task security group
• If the chosen DB is inside AWS later, place it in isolated/private data subnets

API deployment recommendation

For MVP, deploy rl-bank-api as a single ECS Fargate service.

Why this is the right call:

• The app is already a single NestJS service.
• GraphQL is centralized; splitting early would add pain without MVP benefit.
• ECS Fargate matches existing rl-main-infra patterns better than introducing Lambda or EKS now.
• It keeps blast radius understandable and IAM boundaries clean.

Suggested runtime shape:

• desired count: 2
• CPU/memory: start with 0.5 vCPU / 1-2 GB
• health endpoint: add/verify GET /health
• container port: 9000
• ALB listener rules forward /api/* or whole hostname to the API target group

Important repo observation:

• NestJS global prefix is /api
• GraphQL endpoint is effectively /api/graphql
• health endpoint is excluded from the prefix, so ALB health check can safely use /health

Web hosting recommendation

rl-bank-mp-webapp (React/Vite)

Host as a static SPA on S3 + CloudFront.

Needs:

• SPA fallback behavior (index.html) for client-side routes
• build-time env injection for:
  • VITE_API_BASE_URL
  • VITE_AUTH_DOMAIN
  • VITE_AUTH_CLIENT_ID
  • VITE_SENTRY_DSN
  • optional VITE_SENTRY_RELEASE

rl-bank-webapp (Flutter web)

Also host on S3 + CloudFront.

Needs:

• flutter build web --dart-define=...
• compile-time values:
  • AUTH0_DOMAIN
  • AUTH0_CLIENT_ID
  • GRAPHQL_ENDPOINT
  • SENTRY_ENV
• CloudFront custom error response or routing support so deep links resolve to index.html

Opinionated note: for this MVP I would keep both web apps on the same hosting pattern rather than mixing Amplify Hosting for one and S3/CloudFront for the other. One pattern means less drift, easier Pulumi reuse, and clearer IAM.

Application-layer support workspace architecture

The next realism slice stays entirely inside the existing app/API architecture:

• rl-bank-mp-webapp gains a staff support workspace for account servicing
• rl-bank-api extends admin account GraphQL for support detail + status mutations
• existing staff authn/authz remains the control plane for role/permission checks
• existing Mongo-backed collections remain the data sources

Support workspace data flow

sequenceDiagram
  participant Staff as Staff user
  participant Portal as rl-bank-mp-webapp
  participant API as rl-bank-api GraphQL
  participant Guard as Staff authz guard
  participant Account as Account service
  participant Audit as Auditlog service
  participant DB as Mongo collections

  Staff->>Portal: Open support workspace
  Portal->>API: adminListAccountsForSupport
  API->>Guard: validate account.read
  Guard-->>API: allowed
  API->>Account: list support accounts
  Account->>DB: read accounts + latest transactions
  DB-->>Account: account list
  Account-->>API: support list payload
  API-->>Portal: account queue

  Staff->>Portal: Submit freeze/unfreeze/close + reason
  Portal->>API: adminUpdateAccountStatus
  API->>Guard: validate account.manage
  Guard-->>API: allowed
  API->>Account: validate transition + update status
  Account->>DB: update accounts
  Account->>Audit: record servicing action
  Audit->>DB: insert audit_logs entry
  Account->>DB: read refreshed support detail
  DB-->>Account: refreshed context
  Account-->>API: support detail payload
  API-->>Portal: updated detail + audit-backed history

GraphQL and Auth0 considerations

Browser auth flow

• Browser apps authenticate directly against Auth0.
• Auth0 returns access tokens for the API audience.
• Browser sends bearer token to https://api.<bank-domain>/api/graphql.

API auth flow

rl-bank-api already has the right broad shape:

• validates JWTs with JWKS
• uses Auth0 Management API client for backend workflows
• uses CORS whitelist

MVP requirements to formalize:

• set Auth0 API audience and issuer explicitly
• ensure JWT verification validates issuer and audience, not just signature
• ensure CORS whitelist includes exactly:
  • https://app.<bank-domain>
  • https://merchant.<bank-domain>
  • local dev origins separately in non-prod config only
• keep GraphQL introspection enabled only if consciously desired for prod; I would default it off unless operationally needed

Auth0 app layout

Suggested Auth0 objects:

• 1 API / resource server for rl-bank-api
• 2 SPA applications:
  • customer web app
  • merchant portal web app
• 1 M2M application for rl-bank-api Management API access

Environment, config, and secrets strategy

Follow the rl-main-infra config style: explicit Pulumi config for infrastructure decisions, app runtime config delivered through AWS-native services.

Split of responsibility

Pulumi config (infra:*)

Use for infrastructure decisions only, for example:

• account/region
• VPC/subnet IDs
• desired counts
• domain names
• whether to create resources vs scaffold only
• hosted zone IDs
• ACM cert ARNs if imported

SSM Parameter Store (non-secret)

Use for runtime values that are not sensitive:

• NODE_ENV
• PORT
• CORS_ORIGIN_WHITELIST
• AUTH_DOMAIN
• AUTH_AUDIENCE
• GRAPHQL_PUBLIC_URL
• SENTRY_RELEASE
• feature flags

Secrets Manager (secret)

Use for anything credential-like:

• DB_URI
• CACHE_URI if it contains auth material
• AUTH_M2M_CLIENT_ID
• AUTH_M2M_CLIENT_SECRET
• API_KEY
• SENTRY_DSN if treated as secret in your practice
• MAILGUN_API_KEY
• TWILIO_*
• Firebase service account JSON / key material

ECS injection pattern

• ECS task definition gets env vars from a small number of SSM parameters and Secrets Manager ARNs
• task execution role reads only secrets/parameters for this service
• app task role should be separate from execution role

Naming convention suggestion

• SSM: /rl/bank/api/<key>
• Secrets Manager: rl/bank/api/<key>
• S3 buckets: prd-rl-bank-webapp, prd-rl-bank-mp-webapp style if globally available
• ECS service: prd-rl-bank-api
• ECR repo: rl-bank-api

Database posture for MVP

The code currently only tells us this for sure:

• API needs DB_URI
• package dependencies include MongoDB, MSSQL, MySQL, and TypeORM-related packages

That is a giant hint not to hard-code a database choice into the first infra pass.

My recommendation:

1. Treat the database as an external dependency in MVP phase 1.
2. Deliver DB_URI via Secrets Manager.
3. Only codify AWS-managed DB resources after the app team confirms the authoritative engine.

If the engine is confirmed later:

• MongoDB-compatible need → MongoDB Atlas or DocumentDB decision
• MySQL need → Aurora Serverless v2 MySQL or RDS MySQL
• SQL Server need → RDS SQL Server

For MVP planning today, forcing a DB resource before the app team confirms the engine is how infra gets stupid. Better to leave a clean interface now.

Least-privilege IAM plan

CI/CD deploy role for API image push

Needs only:

• ecr:GetAuthorizationToken on *
• ecr:BatchCheckLayerAvailability
• ecr:InitiateLayerUpload
• ecr:UploadLayerPart
• ecr:CompleteLayerUpload
• ecr:BatchGetImage
• ecr:PutImage

Scope recommendation:

• repository ARN only for rl-bank-api
• GetAuthorizationToken remains * because AWS requires it

CI/CD role for static site publish

Needs only:

• s3:ListBucket
• s3:GetObject
• s3:PutObject
• s3:DeleteObject
• cloudfront:CreateInvalidation

Scope recommendation:

• specific bucket ARN + object ARN for each app bucket
• specific distribution ARN/ID for each app distribution

ECS task execution role

Needs only:

• ecr:GetAuthorizationToken
• ecr:BatchGetImage
• ecr:GetDownloadUrlForLayer
• logs:CreateLogStream
• logs:PutLogEvents
• secretsmanager:GetSecretValue for only referenced secrets
• ssm:GetParameters / ssm:GetParameter for only referenced parameters
• kms:Decrypt only for the CMKs protecting those secrets/parameters, if customer-managed keys are used

API task role

Start narrow. Only grant app runtime calls it actually makes. Likely set:

• secretsmanager:GetSecretValue only if the app fetches secrets at runtime itself
• ssm:GetParameter(s) only if the app fetches config at runtime itself
• kms:Decrypt scoped to specific keys if needed
• Auth0 does not require AWS IAM because it is external HTTP
• Mailgun/Twilio/Firebase also do not require AWS IAM unless AWS wrappers are added

Route53/ACM management role

For infra Pulumi only:

• route53:ChangeResourceRecordSets scoped to hosted zone ARN
• route53:ListHostedZonesByName, route53:GetHostedZone, route53:ListResourceRecordSets
• acm:DescribeCertificate, acm:ListCertificates, acm:RequestCertificate, acm:DeleteCertificate scoped as tightly as possible

ElastiCache scope

If creating serverless cache via Pulumi, infra role needs ElastiCache create/read/update for only the relevant cache resources. App runtime itself normally does not need AWS IAM for cache access; it connects over the VPC network using the endpoint/secret.

Pulumi structure proposal

To stay consistent with rl-main-infra, I would add a gated module rather than a one-off script pile.

Suggested module layout:

• src/modules/bank-api.ts
• src/modules/bank-web-static-site.ts
• src/modules/bank-mp-web-static-site.ts
• src/modules/acm-edge.ts
• src/modules/bank-dns.ts
• src/modules/bank-observability.ts
• src/modules/bank-secrets-scaffold.ts

Suggested config shape:

infra:bankMvp:
  enabled: true
  createResources: false
  namePrefix: prd-rl-bank
  domain:
    rootDomain: example.com
    apiSubdomain: api
    appSubdomain: app
    merchantSubdomain: merchant
    hostedZoneId: Z123456789
  network:
    vpcId: vpc-...
    publicSubnetIds:
      - subnet-a
      - subnet-b
    privateSubnetIds:
      - subnet-c
      - subnet-d
  api:
    image: 982233224911.dkr.ecr.ap-southeast-1.amazonaws.com/rl-bank-api:latest
    containerPort: 9000
    desiredCount: 2
    healthCheckPath: /health
  webapp:
    bucketName: prd-rl-bank-webapp
  merchantPortal:
    bucketName: prd-rl-bank-mp-webapp
  auth0:
    domain: tenant.region.auth0.com
    audience: https://api.example.com

Pattern note:

• enabled=true, createResources=false should produce a plan/scaffold output only, matching the safer patterns already in rl-main-infra.
• Only after clean review should createResources=true be allowed.

Application slice extension: account detail + history realism

This application-layer slice sits on top of the same architecture above and does not require new infrastructure.

flowchart LR
  Customer --> CustomerApp[Customer web/mobile app]
  CustomerApp --> GraphQL[rl-bank-api /api/graphql]
  GraphQL --> AccountService[Account service]
  GraphQL --> TransactionService[Transaction service]
  AccountService --> Accounts[(accounts)]
  AccountService --> Cards[(cards)]
  AccountService --> Transactions[(transactions)]
  TransactionService --> Transactions

The main design choice is to compute account realism from existing persisted data rather than invent a separate account-history subsystem too early.

Rollout plan

Phase 0 — confirm unknowns

• confirm real public domain
• confirm authoritative database engine/provider
• confirm whether existing VPC/subnets/hosted zone/certs should be reused or imported
• confirm Auth0 tenant details and desired audience naming

Phase 1 — Pulumi scaffold only

• add bank MVP module configs with createResources=false
• output plan values and missing prerequisites
• no resource creation yet

Phase 2 — static web foundations

• create S3 buckets, CloudFront dists, ACM edge certs, Route53 aliases
• deploy test placeholder builds

Phase 3 — API runtime

• create ECR repo, ECS cluster integration, task definition, service, ALB, logs, alarms, secrets references, cache
• verify /health
• verify GraphQL at /api/graphql

Phase 4 — auth and app cutover

• configure Auth0 callback/logout/origin values
• set web app envs to real domains
• enable CORS allowlist
• validate login and GraphQL token flow end to end

Phase 5 — hardening

• CloudFront WAF
• tighter alarms and dashboards
• optional ALB access logs / CloudFront logs
• optional origin access control and stricter bucket policies

Gaps / blockers to resolve before implementation

1. Database engine is not confirmed.
2. No explicit Dockerfile/runtime artifact reviewed yet for rl-bank-api.
3. No existing bank domain/hosted zone confirmed yet.
4. Need to decide whether bank resources live inside rl-main-infra or a dedicated rl-bank-infra repo that follows the same patterns.
5. JWT verification should explicitly validate issuer/audience if not already done elsewhere in code.
6. Need to verify whether customer Flutter web app should use real Auth0 browser login or remain demo-auth style during MVP.

My recommendation on repo shape

Short version:

• If John wants fastest MVP path and one production infra control plane, extend rl-main-infra with gated bank modules.
• If he expects the fake bank to become a larger standalone product, create rl-bank-infra but copy the same Pulumi conventions from rl-main-infra.

My bias for this MVP: start inside rl-main-infra as a gated module set, because the patterns already exist and there is only one production AWS account.