rl-docs-hub

Home · Apps · rl-main-infra · todo_api · todo_mobile

API Specs

rl-main-infra does not expose an HTTP/GraphQL application API. Its operational interface is the Pulumi CLI contract plus exported stack outputs.

Operational Interface

CLI commands

Command	Purpose	Safety Expectation
`pulumi preview --refresh --diff`	Validate desired vs live state	Must run before any apply
`pulumi up --refresh --diff`	Apply import or managed changes	Only after clean preview
`pulumi stack select dev`	Select working stack	Required before preview/apply
`pulumi config set infra:enableManagedImports <bool>`	Toggle import ownership mode	Keep `false` unless scoped import
`pulumi config set infra:ec2ImportBatch <csv>`	Scope EC2 import batch	Keep batch small and explicit

Required config inputs

Key	Type	Example	Notes
`aws:region`	string	`ap-southeast-1`	Must match discovery region
`infra:accountId`	string	`982233224911`	Must match discovery account
`infra:enableManagedImports`	boolean-string	`false` / `true`	Global ownership toggle
`infra:protectImported`	boolean-string	`true`	Must stay true during imports
`infra:ec2ImportBatch`	CSV string	`i-...,i-...`	Optional, Phase 3 scoping

Exported Stack Outputs (Program Contract)

From src/index.ts:

Output	Type	Description
`accountId`	string	Discovered account id
`region`	string	Discovered region
`vpcId`	string/output	Primary VPC id
`subnetCount`	number	Count from discovery inventory
`routeTableCount`	number	Count from discovery inventory
`securityGroupCount`	number	Count from discovery inventory
`managedImportsEnabled`	boolean	Effective managed-import mode
`ec2BatchSize`	number	Number of EC2 instances in current batch
`importedEc2InstanceIds`	string[]	Current EC2 IDs in import scope
`ec2ResourceCount`	number	Number of EC2 resources materialized

Runbooks

Runbook A — Safe Baseline Preview (No Ownership Change)

pulumi stack select dev
pulumi config set aws:region ap-southeast-1
pulumi config set infra:accountId 982233224911
pulumi config set infra:enableManagedImports false
pulumi config set infra:protectImported true
pulumi preview --refresh --diff

Expected: reads only, no delete/replace.

Runbook B — Scoped Protected Import (Network or EC2 Batch)

pulumi stack select dev
pulumi config set infra:enableManagedImports true
pulumi config set infra:protectImported true
# Optional for EC2 phase:
pulumi config set infra:ec2ImportBatch i-025e303d34c599721,i-03be6f30f15f9352e
pulumi preview --refresh --diff
# only if preview is clean:
pulumi up --refresh --diff

Stop conditions: any planned delete or replace.

Runbook C — Drift/Conflict Triage

Re-run preview with --refresh --diff to confirm reproducibility.
Isolate offending resource(s) by narrowing import scope.
Decide one path:
- Add narrowly-scoped ignoreChanges for non-authoritative attributes, or
- Revert resource to reference-only mode until model quality improves.
Re-run preview; require non-destructive plan.
Record decision in import ledger + ops notes.

Known Non-HTTP Service Surfaces Represented

Even though there is no direct app API here, discovered service interfaces include:

API Gateway REST APIs: 1 (rlmc-bcnc-api) — service-level import candidate (Phase 4)
Messaging surfaces: SNS (2), SQS (1) — currently read references
Data surfaces: DynamoDB (13) — currently read references

Audit Correlation

The Pulumi program contract aligns to audit artifacts in:

/Users/admin/.openclaw/workspace/aws-infra-audit/inventory.md
/Users/admin/.openclaw/workspace/aws-infra-audit/ap-southeast-1/*.json