Infra Overview & Ownership
This page describes what the platform infrastructure in this repo owns from an infrastructure perspective, who depends on it, and how it fits into the wider system.
The primary audience is infra / platform engineers and SREs working with AWS, Terraform, and CI/CD. Application code and pipeline logic also live in this monorepo (or in sibling repos), but are out of scope here.
Scope of this repository
This repository manages the AWS infrastructure for:
- Backstage portal at
portal.rocketclub.online - Prefect platform surface at
pipelines.rocketclub.online - Shared data platform components
- Aurora (relational metadata DB)
- S3 buckets for cached, raw, clean and design-file data
- IAM roles and policies used by ECS tasks, Lambda and CI
- Secrets Manager secrets for databases and external services
- Supporting edge and networking components
- Cloudflare DNS and proxy configuration (modeled conceptually)
- CloudFront distributions in front of the ALB
- Application Load Balancer and target groups for ECS services
- Integration points to external managed services
- Neo4j Aura (graph database)
- Cloudinary (image CDN)
- Prefect orchestration (self-hosted Prefect 3 on ECS)
All of the above are provisioned and managed via a single-root Terraform stack under infra/platform/infra/envs/prod.
Out of scope (documented elsewhere)
This repository does not define or document:
- Application code and data flows for the ETL / data pipelines
- Owned by the
blog_datarepository (Prefect flows, Lambda code)
- Owned by the
- General user-facing, editorial, or product documentation
- Owned by the
blog_docsrepository
- Owned by the
- The implementation of the public blog frontend on Vercel
This page may reference those systems only to clarify who consumes the infrastructure, not to document their internal behavior.
Related repositories (high-level roles)
These repositories work together to make up the full system. This repository is responsible for the shared AWS infrastructure they consume:
| Repo / area | Role |
|---|---|
infra/platform/infra | Terraform modules + environment root for AWS infrastructure |
infra/platform/scripts | CI-friendly wrappers for Terraform and image builds |
apps/docs | Canonical documentation site for this monorepo |
data/platform / pipelines | Prefect flows, data processing code, and runtime helpers (consumes infra) |
High-level architecture
The diagram below shows the main components provisioned by this repository and how they connect at a high level.
At a glance:
- Traffic for
portal.andpipelines.hostnames is handled by Cloudflare and CloudFront, terminating at an Application Load Balancer. - The ALB forwards requests to ECS services for Backstage and Prefect.
- Prefect workers and Lambda functions interact with Aurora, S3, Neo4j Aura and Cloudinary using IAM roles and secrets defined in this repo.
- The public blog frontend (in a separate repo and deployed on Vercel) consumes Neo4j Aura and Cloudinary, and uses certain S3 buckets for assets and data.
Ownership map
The table below ties together the major components in the diagram with their ownership and where they live in Terraform.
| Component / Surface | Owned by this repo? | Terraform location (indicative) | Primary consumers |
|---|---|---|---|
| VPC, subnets, routing | Yes | infra/platform/infra/modules/core/network | All AWS services |
| CloudFront + ALB | Yes | infra/platform/infra/modules/core/cloudfront-apps + .../core/alb | Backstage, Prefect ECS services |
| Backstage ECS service | Yes | infra/platform/infra/modules/apps/backstage | Portal users |
| Prefect access surface | Yes | infra/platform/infra/modules/apps/prefect-api + .../apps/prefect-worker | Self-hosted Prefect 3 API and workers |
| Aurora cluster | Yes | infra/platform/infra/modules/core/aurora | Backstage, Prefect, data pipelines |
| S3 data buckets | Yes | infra/platform/infra/modules/core/s3-data | Prefect flows / tools |
| S3 design-files bucket | Yes | infra/platform/infra/modules/core/s3-data | Frontend + Lambda .ork processor |
| IAM roles | Yes | infra/platform/infra/modules/core/iam | ECS tasks, Lambda functions, CI |
| Secrets Manager secrets | Yes | Primarily infra/platform/infra/modules/core/iam (+ env wiring in infra/platform/infra/envs/prod) | ECS tasks, Lambda functions, CI |
| Prefect flows | No | — | Pipeline code (outside infra root) |
Lambda .ork processor | Infra yes / code no | Lambda infra in Terraform; code lives with data/pipelines | Deployed from pipeline code |
| Public blog frontend | No | — (Vercel / external) | Uses Neo4j Aura, Cloudinary, S3 |
This division of ownership is intentional: the Terraform under infra/platform/infra describes and manages shared infrastructure, while application behavior and end-user documentation are kept closer to the application code.