Infrastructure¶
All infrastructure is managed with Terraform and deployed via GitHub Actions.
AWS Resources¶
App Runner¶
The application runs on AWS App Runner, a fully managed container service.
| Setting | Value |
|---|---|
| Service Name | lumi-dev-luminarium-proof |
| CPU | 1 vCPU |
| Memory | 2 GB |
| Min Instances | 1 |
| Max Instances | 3 |
| Port | 3000 |
Key Features:
- Auto-scales based on traffic
- No server management required
- Built-in health checks
- Blue-green deployments
RDS SQL Server¶
| Setting | Value |
|---|---|
| Engine | SQL Server Express |
| Instance Class | db.t3.small |
| Storage | 20-100 GB (auto-scaling) |
| Subnet | Private (no public access) |
| Backup Retention | 1 day |
Connection:
- App Runner connects via VPC Connector
- No public endpoint
- Only App Runner security group can reach port 1433
ECR (Container Registry)¶
Docker images are stored in Amazon ECR.
- Images tagged with commit SHA:
sha-{commit}-run-{run_number} - Lifecycle policy removes untagged images after 7 days
Cloudflare Resources¶
DNS¶
| Record | Type | Value |
|---|---|---|
luminarium-proof-dev | CNAME | App Runner URL |
Access Application¶
Zero Trust protection for the application.
| Setting | Value |
|---|---|
| Session Duration | 24 hours |
| Allowed Domains | @luminarium.ai, @fastmarkets.com |
Service Token¶
For CI/CD health checks (bypasses user auth).
Terraform Structure¶
infra/
├── app/
│ ├── main.tf # App Runner, RDS, VPC
│ ├── cloudflare.tf # DNS, Access, service tokens
│ ├── ecr.tf # Container registry
│ ├── github-ci-role.tf # OIDC role for GitHub Actions
│ ├── variables.tf # Input variables
│ ├── outputs.tf # Output values
│ └── ecr-standalone/ # ECR (separate state)
└── backend-dev.hcl # S3 backend config
State Management¶
Terraform state is stored in S3 with DynamoDB locking:
bucket = "luminarium-dev-tf-bucket-state-..."
region = "eu-west-2"
dynamodb_table = "luminarium-dev-tf-ddb-locktable"
encrypt = true
Environment-Specific Config¶
Currently only dev environment exists. Staging/production will be added after Stage 0.
| Environment | Domain | RDS | Purpose |
|---|---|---|---|
| dev | luminarium-proof-dev.luminarium.ai | Yes | Development |
| staging | TBD | TBD | Pre-production |
| production | TBD | TBD | Production |
Secrets Management¶
| Secret | Location | Purpose |
|---|---|---|
DB_PASSWORD | GitHub Secrets | RDS admin password |
CLOUDFLARE_API_TOKEN | GitHub Secrets | Terraform Cloudflare provider |
CLOUDFLARE_ZONE_ID | GitHub Secrets | luminarium.ai zone |
CLOUDFLARE_ACCOUNT_ID | GitHub Secrets | Cloudflare account |
AWS_CI_ROLE_ARN | GitHub Secrets | OIDC role for AWS |
Never Commit Secrets
All secrets are in GitHub Secrets or AWS Secrets Manager. Never commit credentials to the repository.
Making Infrastructure Changes¶
Infrastructure Changes
Infrastructure files (infra/, .github/workflows/, Dockerfile) should not be modified without coordination with infrastructure owners.
If changes are needed:
- Discuss with Paul first
- Create a PR with Terraform changes
- Review the Terraform plan in PR comments
- Merge only after plan is approved