|
| 1 | +# Infrastructure Documentation |
| 2 | + |
| 3 | +This document describes the AWS infrastructure defined in `template.yaml` for the ServiceLifecycle Lambda with PostgreSQL example. |
| 4 | + |
| 5 | +## Architecture Overview |
| 6 | + |
| 7 | +The infrastructure consists of a secure VPC setup with public and private subnets, a Lambda function in public subnets, and an RDS PostgreSQL database in private subnets. The architecture follows AWS best practices for security and connectivity. |
| 8 | + |
| 9 | +```mermaid |
| 10 | +graph TD |
| 11 | + subgraph "AWS Cloud" |
| 12 | + subgraph "VPC (10.0.0.0/16)" |
| 13 | + subgraph "Public Subnets" |
| 14 | + Lambda["Lambda Function"] |
| 15 | + NAT["NAT Gateway"] |
| 16 | + IGW["Internet Gateway"] |
| 17 | + end |
| 18 | + |
| 19 | + subgraph "Private Subnets" |
| 20 | + RDS["PostgreSQL RDS"] |
| 21 | + SSM1["SSM Endpoint"] |
| 22 | + SSM2["SSM Messages Endpoint"] |
| 23 | + SSM3["EC2 Messages Endpoint"] |
| 24 | + end |
| 25 | + |
| 26 | + Lambda -- "Egress to DB (5432)" --> RDS |
| 27 | + Lambda -- "Egress to AWS APIs (443)" --> Internet |
| 28 | + |
| 29 | + RDS -- "Ingress from Lambda (5432)" --> Lambda |
| 30 | + RDS -- "Ingress from SSM (5432)" --> SSM1 |
| 31 | + |
| 32 | + NAT -- "Outbound traffic" --> IGW |
| 33 | + IGW -- "Internet Access" --> Internet |
| 34 | + end |
| 35 | + |
| 36 | + SecretsManager["Secrets Manager"] |
| 37 | + APIGateway["API Gateway"] |
| 38 | + EC2["Amazon EC2"] |
| 39 | + |
| 40 | + APIGateway --> Lambda |
| 41 | + Lambda --> SecretsManager |
| 42 | + EC2 -- "Via SSM Endpoints" --> SSM1 |
| 43 | + SSM1 --> RDS |
| 44 | + end |
| 45 | + |
| 46 | + User["User"] --> APIGateway |
| 47 | + Admin["Admin"] --> EC2 |
| 48 | +``` |
| 49 | + |
| 50 | +## Key Components |
| 51 | + |
| 52 | +### Networking |
| 53 | + |
| 54 | +1. **VPC**: A dedicated VPC with CIDR block `10.0.0.0/16` |
| 55 | +2. **Subnets**: |
| 56 | + - Public Subnets (10.0.1.0/24, 10.0.2.0/24): For Lambda and NAT Gateway |
| 57 | + - Private Subnets (10.0.3.0/24, 10.0.4.0/24): For RDS and VPC endpoints |
| 58 | +3. **Internet Gateway**: Provides internet access for public subnets |
| 59 | +4. **NAT Gateway**: Allows outbound internet access from private subnets |
| 60 | +5. **Route Tables**: Separate route tables for public and private subnets |
| 61 | + |
| 62 | +### Security |
| 63 | + |
| 64 | +1. **Security Groups**: |
| 65 | + - **Lambda Security Group**: Restricts outbound traffic to: |
| 66 | + - PostgreSQL (5432) within the VPC |
| 67 | + - HTTPS (443) to the internet |
| 68 | + - **Database Security Group**: Allows inbound PostgreSQL connections only from: |
| 69 | + - Lambda Security Group |
| 70 | + - SSM Endpoint Security Group |
| 71 | + - **SSM Endpoint Security Group**: Allows HTTPS inbound for SSM connections |
| 72 | + |
| 73 | +2. **Encryption**: |
| 74 | + - RDS storage encryption enabled |
| 75 | + - SSL/TLS for database connections with certificate verification |
| 76 | + - Secrets Manager for secure credential storage |
| 77 | + |
| 78 | +### Compute & Database |
| 79 | + |
| 80 | +1. **Lambda Function**: |
| 81 | + - Runtime: provided.al2 (Swift) |
| 82 | + - Memory: 512MB |
| 83 | + - Timeout: 60 seconds |
| 84 | + - VPC integration with public subnets |
| 85 | + |
| 86 | +2. **RDS PostgreSQL**: |
| 87 | + - Instance class: db.t3.micro |
| 88 | + - Engine version: 15.7 |
| 89 | + - Storage: 20GB gp2 |
| 90 | + - Placed in private subnets |
| 91 | + - Not publicly accessible |
| 92 | + |
| 93 | +### Access & Management |
| 94 | + |
| 95 | +1. **Secrets Manager**: |
| 96 | + - Stores database credentials |
| 97 | + - Auto-generates secure password |
| 98 | + - Referenced by Lambda and RDS |
| 99 | + |
| 100 | +2. **VPC Endpoints**: |
| 101 | + - SSM Endpoint |
| 102 | + - SSM Messages Endpoint |
| 103 | + - EC2 Messages Endpoint |
| 104 | + - Enables CloudShell access to private resources |
| 105 | + |
| 106 | +3. **Function URL**: |
| 107 | + - HTTP endpoint for invoking Lambda function |
| 108 | + |
| 109 | +## Security Considerations |
| 110 | + |
| 111 | +1. **Network Isolation**: Database is in private subnets, not directly accessible from the internet |
| 112 | +2. **Least Privilege**: Security groups follow principle of least privilege |
| 113 | +3. **Encryption**: Data at rest is encrypted |
| 114 | +4. **Secure Credentials**: No hardcoded credentials, using Secrets Manager |
| 115 | +5. **SSL/TLS**: Database connections use SSL/TLS with certificate verification |
| 116 | + |
| 117 | +## Accessing the Database |
| 118 | + |
| 119 | +The database is in a private subnet and not directly accessible from the internet. To connect: |
| 120 | + |
| 121 | +1. **From Lambda**: Direct connection through VPC networking |
| 122 | +2. **From Amazon EC2**: Through SSM VPC endpoints |
| 123 | +3. **From your local machine**: Options include: |
| 124 | + - SSH tunnel through a bastion host |
| 125 | + - AWS Session Manager port forwarding |
| 126 | + - AWS Cloud9 environment in the same VPC |
| 127 | + |
| 128 | +## Deployment |
| 129 | + |
| 130 | +Deploy this infrastructure using AWS SAM: |
| 131 | + |
| 132 | +```bash |
| 133 | +sam deploy |
| 134 | +``` |
| 135 | + |
| 136 | +## Outputs |
| 137 | + |
| 138 | +After deployment, the following information is available in CloudFormation outputs: |
| 139 | + |
| 140 | +- API Gateway endpoint URL |
| 141 | +- Database endpoint hostname and port |
| 142 | +- Database name |
| 143 | +- Secret ARN for retrieving credentials |
| 144 | +- Connection instructions |
| 145 | + |
| 146 | +## Cost Optimization |
| 147 | + |
| 148 | +The template uses cost-effective resources: |
| 149 | +- db.t3.micro RDS instance (eligible for free tier) |
| 150 | +- Minimal storage allocation (20GB) |
| 151 | +- Single-AZ deployment |
| 152 | +- No automated backups |
| 153 | + |
| 154 | +For production workloads, consider adjusting these settings based on your requirements. |
0 commit comments