Infrastructure Stacks
| Stack | Directory | Provisions |
|---|---|---|
account_prep | infrastructure/.../account_prep/ | State S3 + DynamoDB lock, KMS root CMK, CloudTrail, GuardDuty, GitHub OIDC |
data | infrastructure/.../data/ | KMS CMK, DynamoDB, S3 (usage + audit archives), Kinesis Firehose, Glue + Athena, SES, billing aggregator Lambda, audit processor Lambda |
backend | infrastructure/.../backend/ | Cognito User Pool + Hosted UI, API Gateway REST, control-plane Lambdas, CloudWatch dashboard, saved Logs Insights queries |
proxy | infrastructure/.../proxy/ | Proxy Lambda + Function URL, WAF Web ACL, ACM wildcard cert, CloudFront distribution, Route53 wildcard alias |
frontend | infrastructure/.../frontend/ | S3 bucket (OAC), CloudFront distribution, ACM cert, Route53 alias |
Consistency rules
When changing infrastructure, keep linked elements in sync:
- API endpoints ↔ frontend API client calls
- DynamoDB entity schemas ↔ backend handler code
- Tofu variables ↔ tfvars files
- Lambda handler map ↔ handler files
- Proxy handler logic ↔ grant enforcement rules
When adding a new Lambda, add its /aws/lambda/<name> log group to
all_log_group_names in backend/saved_queries.tf and to any saved
query that should scope to all log groups.
Ops tasks
# Grant / revoke platform admin (sets platform_role on the DDB user row)
./scripts/make-admin.sh <stage> <email>
./scripts/make-admin.sh <stage> <email> --revoke
# Re-seed the model catalog manually
cd scripts && uv run seed_models.py --stage <stage> --region eu-central-1After a platform-admin change, the user must sign out and back in for the new JWT claim to take effect.
Last updated on