Phenom Infrastructure

Terraform infrastructure as code for deploying the Phenom application stack on AWS ECS
Categories:

This section contains infrastructure documentation for the Phenom application stack. Access is restricted to infrastructure team.

Overview

Phenom Infrastructure provides Terraform infrastructure as code for deploying the complete Phenom application stack on AWS ECS. This repository contains modular Terraform configurations that create a production-ready cloud environment with security, scalability, and monitoring best practices.

Repository

GitHub Repository: Phenom-earth/phenom-infra

Architecture

The infrastructure deploys a comprehensive AWS environment including:

Core Infrastructure

  • VPC: Virtual Private Cloud with public/private subnets across multiple availability zones
  • ECS Fargate: Containerized application cluster with auto-scaling capabilities
  • Application Load Balancer: Traffic routing and SSL termination
  • RDS PostgreSQL: Managed database service (or connection to existing database)
  • AWS Secrets Manager: Secure credential and configuration storage

Service Stack

The ECS cluster runs the following containerized services:

  1. GraphQL Service (Hasura GraphQL Engine)

    • Port: 8080
    • Provides GraphQL API and database migrations

  2. Auth Service (Hasura Auth)

    • Port: 4000
    • Handles authentication and JWT token management

  3. Storage Service (Hasura Storage)

    • Port: 5000
    • Manages file uploads and storage operations

  4. Functions Service (Nhost Functions)

    • Port: 3000
    • Executes serverless functions

Prerequisites

Before deploying the infrastructure, ensure you have:

  • Terraform >= 1.0
  • AWS CLI configured with appropriate credentials
  • AWS Account with sufficient permissions to create resources

Quick Start

1. Configure AWS Credentials

# Option 1: AWS CLI configuration
aws configure

# Option 2: Environment variables
export AWS_ACCESS_KEY_ID="your-access-key"
export AWS_SECRET_ACCESS_KEY="your-secret-key"
export AWS_DEFAULT_REGION="us-east-1"

# Option 3: AWS Profile
export AWS_PROFILE="your-profile-name"

2. Choose Environment

cd environments/<desired-env>

# Examples:
cd environments/development
# or
cd environments/production

3. Deploy Infrastructure

# Initialize Terraform
terraform init

# Review planned changes
terraform plan

# Deploy infrastructure
terraform apply

Environment Structure

environments/
├── development/
│   ├── main.tf          # Main configuration
│   ├── locals.tf        # Environment-specific variables
│   ├── versions.tf      # Terraform and provider versions
│   ├── backend.tf       # Remote state configuration
│   └── outputs.tf       # Output values
└── production/
    └── ... (same structure)

Infrastructure Modules

Networking Module

  • VPC with public/private subnet architecture
  • NAT gateways for outbound internet access
  • Security groups for service isolation

Application Load Balancer (ALB)

  • SSL/TLS termination and certificate management
  • Target groups for service routing
  • Health checks and traffic distribution

ECS Module

  • Fargate cluster configuration
  • Task definitions for each service
  • Auto-scaling policies and service discovery

RDS Module (Optional)

  • PostgreSQL database with automated backups
  • Multi-AZ deployment for high availability
  • Parameter groups and security configurations

Post-Deployment Configuration

After successful deployment:

  1. Update Database Credentials: Modify database password in AWS Secrets Manager
  2. Configure DNS: Point your domain to the ALB DNS name (provided in Terraform outputs)
  3. Monitor Services: Verify all ECS services are running healthy in AWS Console

Terraform Outputs

The infrastructure provides these key outputs:

  • alb_dns_name: Application Load Balancer DNS name
  • service_endpoints: Direct URLs for each deployed service
  • database_endpoint: RDS connection endpoint (if applicable)

Security Best Practices

Credential Management

  • Never commit .tfstate files or .tfvars files to version control
  • Use AWS Secrets Manager for all sensitive configuration values
  • Implement least-privilege IAM permissions

Network Security

  • Private subnets for application and database tiers
  • Security groups with minimal required access
  • VPC Flow Logs for network monitoring

Operations and Monitoring

Viewing Service Logs

# Tail ECS service logs
aws logs tail /ecs/phenom-dev --follow

# Check service health status
aws ecs describe-services --cluster phenom-dev-cluster --services phenom-dev-graphql

Common Troubleshooting

Permission Issues: Verify AWS credentials have sufficient IAM permissions
Resource Conflicts: Check for existing resources created outside Terraform
Service Health: Review CloudWatch logs and database connectivity

Destroying Infrastructure

⚠️ Warning: This permanently deletes all resources and data

terraform destroy

Ensure you have backed up any critical data before proceeding.

For complete implementation details and examples, refer to the GitHub repository README.


Last modified September 8, 2025: feat: Add Linear and Github buzzard links (#167) (812ed10)