rl-docs-hub

Home · Apps · rl-main-infra · todo_api · todo_mobile

---

Architecture

Platform architecture stance

rl-main-infra should be understood as a platform IaC repo, not a single-purpose migration bucket and not a single-workload repo.

The architecture boundary is:

• shared platform foundation for account/VPC/service baseline and imports/references
• shared ingress / edge capabilities for reusable ALB/NLB/CloudFront/WAF/DNS patterns
• workload composition for PBX, fed-proxy, data-download, and future workloads
• migration scaffolding for phased import/cutover code that should remain isolated from durable platform modules

High-Level Topology (Pulumi Ownership Model)

flowchart TB
  subgraph AWS["AWS Account 982233224911"]
    subgraph APSE1["ap-southeast-1 (primary)"]
      VPC["VPC: main-vpc\nvpc-02eda3dee7714fe3d"]
      SUBNETS["25 Subnets"]
      RT["4 Route Tables"]
      SG["8 Security Groups"]
      EC2["EC2: 3 instances\n(jumphost, ad01, openvpn-egress)"]
      ECS["ECS Cluster: main-cluster"]
      APIGW["API Gateway REST: rlmc-bcnc-api"]
      LAMBDA["Lambda: 7 functions"]
      DDB["DynamoDB: 13 tables"]
      ECR["ECR: 8 repositories"]
      SQS["SQS: 1 queue"]
      SNS["SNS: 2 topics"]
    end

    subgraph GLOBAL["Global Services"]
      S3["S3: 21 buckets"]
      CF["CloudFront: 8 distributions"]
      R53["Route53: 1 private hosted zone"]
    end
  end

  PULUMI["Pulumi Program\nrl-main-infra"] --> VPC
  PULUMI --> SUBNETS
  PULUMI --> RT
  PULUMI --> SG
  PULUMI --> EC2
  PULUMI -. staged imports .-> ECS
  PULUMI -. staged imports .-> APIGW
  PULUMI -. references first .-> LAMBDA
  PULUMI -. references first .-> DDB
  PULUMI -. staged imports .-> ECR
  PULUMI -. references first .-> SQS
  PULUMI -. references first .-> SNS
  PULUMI -. batch imports .-> S3
  PULUMI -. reference-only for now .-> CF
  PULUMI -. reference-only for now .-> R53

Current program components

Module	Purpose	Current Mode
network.ts	VPC, Subnets, Route Tables, Security Groups	Import/read-mode toggle via infra:enableManagedImports
compute.ts	EC2 instances	Batched import using infra:ec2ImportBatch
services.ts	ECS, ECR, API Gateway + refs for Lambda/DynamoDB/SQS/SNS	Partial managed import, high-drift services as references
edge.ts	S3 + refs for CloudFront/Route53	S3 import-ready, CloudFront/Route53 reference-only

Target logical component groups

Logical Area	What belongs there
Shared platform foundation	network baseline, shared compute/service imports, account/VPC-level primitives
Shared ingress / edge	reusable CloudFront, ALB, NLB, WAF, DNS, and aliasing patterns
Workload modules	PBX, fed-proxy, data-download, and future workload composition
Migrations	staged import/cutover helpers such as Route53 phases and CloudFront prep
Inventory/discovery	generated discovery snapshots and migration-input artifacts

Workload architecture note

The most important naming and structure transition is for PBX:

• document the workload as PBX
• place new workload code in pbx-named folders/modules
• keep OpenCX only where existing code/config names still require the legacy alias

Import Phases and Gates

flowchart LR
  P1["Phase 1\nRead-only baseline"] --> P2["Phase 2\nCore network imports"]
  P2 --> P3["Phase 3\nEC2 batch imports"]
  P3 --> P4["Phase 4\nServices imports\n(ECR/ECS/API GW)"]
  P4 --> P5["Phase 5\nEdge imports\n(S3 first)"]
  P5 --> P6["Phase 6\nHardening + CI + runbooks"]

  SAFE["Safety Gate:\npreview --refresh --diff\nNO delete/replace"] -. required before each phase .-> P1
  SAFE -.-> P2
  SAFE -.-> P3
  SAFE -.-> P4
  SAFE -.-> P5
  SAFE -.-> P6

Safeguards in Code and Process

Config-level safeguards

• infra:accountId must match discovery account; otherwise execution fails.
• aws:region must match discovery region; otherwise execution fails.
• infra:enableManagedImports defaults to false in project config.
• infra:protectImported=true keeps imported resources protected.

Resource-level safeguards

• Pulumi protect: true used on imported resources.
• ignoreChanges applied for drift-prone properties:
  • EC2: userData, associatePublicIpAddress, sourceDestCheck, userDataReplaceOnChange
  • Security Groups: ingress, egress, tags, tagsAll, revokeRulesOnDelete

Change-control safeguards

• Preview-first workflow for every change.
• pulumi up --yes explicitly disallowed during import phases.
• Stop immediately on any planned delete or replace.

Network Baseline (ap-southeast-1)

• VPC: main-vpc / 10.0.0.0/16
• 25 subnets spanning workload tiers (public, private, ALB, AD, OpenVPN, etc.)
• 1 NAT gateway + 1 internet gateway
• 4 route tables
• 8 security groups

EC2 Import Status

• Inventory detects exactly 3 EC2 instances in-scope.
• Current Pulumi.dev.yaml batch includes all 3 instance IDs:
  • i-025e303d34c599721
  • i-03be6f30f15f9352e
  • i-053258725beedaa1c
• Effective status: batch scope prepared and codified; final import apply remains operator-gated after clean previews.

Drift and Conflict Handling

1. Run baseline preview (enableManagedImports=false) to validate references.
2. Enable imports only for a narrow scope.
3. If drift is noisy on non-authoritative fields, use ignoreChanges narrowly with justification.
4. If preview shows delete/replace, revert to reference mode for problematic resources and remodel.
5. Record all accepted drift and import decisions in an import ledger (resource ID, rationale, date).