Infra Overview & Ownership
This page describes what the blog infrastructure repository owns from an infrastructure perspective, who depends on it, and how it fits into the wider system.
The primary audience is infra / platform engineers and SREs working with AWS, Terraform, and CI/CD. Application code, content, and general user-facing documentation live in sibling repositories such as blog_portal, blog_data, blog_code, blog_docs and blog_content.
Scope of this repository
This repository manages the AWS infrastructure for:
- Backstage portal at
portal.rocketclub.online - Prefect platform surface at
pipelines.rocketclub.online - Shared data platform components
- Aurora (relational metadata DB)
- S3 buckets for cached, raw, clean and design-file data
- IAM roles and policies used by ECS tasks, Lambda and CI
- Secrets Manager secrets for databases and external services
- Supporting edge and networking components
- Cloudflare DNS and proxy configuration (modeled conceptually)
- CloudFront distributions in front of the ALB
- Application Load Balancer and target groups for ECS services
- Integration points to external managed services
- Neo4j Aura (graph database)
- Cloudinary (image CDN)
- Prefect orchestration (self-hosted Prefect 3 on ECS)
All of the above are provisioned and managed via a single-root Terraform stack under infra/envs/prod.
Out of scope (documented elsewhere)
This repository does not define or document:
- Application code and data flows for the ETL / data pipelines
- Owned by the
blog_datarepository (Prefect flows, Lambda code)
- Owned by the
- General user-facing, editorial, or product documentation
- Owned by the
blog_docsrepository
- Owned by the
- The implementation of the public blog frontend on Vercel
This page may reference those systems only to clarify who consumes the infrastructure, not to document their internal behavior.
Related repositories (high-level roles)
These repositories work together to make up the full system. This repository is responsible for the shared AWS infrastructure they consume:
| Repository | Role |
|---|---|
blog_infra | Terraform, AWS infrastructure and CI/CD for the platform |
blog_portal | Backstage application and configuration that runs on the Backstage ECS service |
blog_data | Prefect application and data pipelines that use S3, Neo4j Aura and Cloudinary |
blog_code | Next.js public blog application deployed on Vercel |
blog_docs | System documentation repo for a broader audience |
blog_content | Markdown and MDX content for the blog |
High-level architecture
The diagram below shows the main components provisioned by this repository and how they connect at a high level.
At a glance:
- Traffic for
portal.andpipelines.hostnames is handled by Cloudflare and CloudFront, terminating at an Application Load Balancer. - The ALB forwards requests to ECS services for Backstage and Prefect.
- Prefect workers and Lambda functions interact with Aurora, S3, Neo4j Aura and Cloudinary using IAM roles and secrets defined in this repo.
- The public blog frontend (in a separate repo and deployed on Vercel) consumes Neo4j Aura and Cloudinary, and uses certain S3 buckets for assets and data.
Ownership map
The table below ties together the major components in the diagram with their ownership and where they live in Terraform.
| Component / Surface | Owned by this repo? | Terraform location | Primary consumers |
|---|---|---|---|
| VPC, subnets, routing | Yes | infra/modules/core/network | All AWS services |
| CloudFront + ALB | Yes | infra/modules/core/edge + ALB modules | Backstage, Prefect ECS services |
| Backstage ECS service | Yes | infra/modules/apps/backstage | Portal users |
| Prefect access surface | Yes | infra/modules/apps/prefect | Self-hosted Prefect 3 API and workers |
| Aurora cluster | Yes | infra/modules/core/rds | Backstage, Prefect, data pipelines |
| S3 data buckets | Yes | infra/modules/core/s3-data | Prefect flows in blog_data |
| S3 design-files bucket | Yes | infra/modules/core/s3-data | Blog frontend, Lambda ork processor |
| IAM roles | Yes | infra/modules/core/iam-* | ECS tasks, Lambda functions, CircleCI |
| Secrets Manager secrets | Yes | infra/modules/core/secrets | ECS tasks, Lambda functions, CI |
| Prefect flows | No | — | Defined in blog_data |
| Lambda ork processor code | No (code), Yes (infra) | Lambda module | Deployed from blog_data package |
| Public blog frontend | No | — (Vercel infra) | Uses Neo4j Aura, Cloudinary, S3 |
This division of ownership is intentional: blog_infra describes and manages shared infrastructure, while application behavior and end-user documentation are kept in their respective repositories.