Skip to content

Deployment - AWS (ECS Fargate + Terraform)

Date: 2026-02-08

Summary

Deploy AccessOS in AWS using ECS Fargate with a tenant-isolated data-plane pattern in a single account, coordinated by a shared global control plane.

Goals

  • Repeatable dev/prod deployments via Terraform.
  • Tenant-isolated ECS service sets inside one account.
  • Controlled rollout across tenant fleets.
  • Managed persistence and secret handling.

Architecture (v0)

Shared Components

  • Route53 + ACM
  • Edge/router entrypoint (ALB and optional routing layer)
  • Global control plane services (tenant registry, licensing, routing snapshot publication)

Per-Tenant Data Plane

  • ECS Fargate service set per tenant:
  • integrations-service
  • discovery-service
  • discovery-worker
  • audit-service
  • iam-service
  • Tenant-scoped storage/access:
  • RDS scope (schema or DB partition)
  • S3 evidence scope (prefix or bucket policy)
  • Secrets Manager paths
  • IAM task roles scoped to tenant resources

Networking

  • VPC with public/private subnets.
  • Shared ingress layer routes to tenant-specific service targets.
  • ECS tasks run in private subnets.

Domains and Routing

  • Preferred: tenant subdomains (for example, tenant.a3os.app).
  • Alternative: shared domain + routing layer that resolves tenant target from control-plane metadata.
  • Root domain can host tenant discovery/login bootstrap flow.

Persistence

  • RDS PostgreSQL for relational data.
  • S3 for evidence blobs.
  • Secrets Manager for sensitive env/config values.

Security

  • Tenant-specific IAM task roles and resource policies.
  • Secrets never traverse queues or logs.
  • KMS-backed encryption for sensitive storage.

Infrastructure-as-Code

  • infra/stack/: reusable modules
  • infra/envs/dev/ and infra/envs/prod/: environment planes
  • Tenant provisioning parameters drive per-tenant service-set creation.

CI/CD

  1. Build images and push tags.
  2. Deploy to dev tenant fleet (canary/waves).
  3. Promote approved version to prod tenant fleet with controlled waves.

Environment Control

  • Pause/resume supported per environment and/or per tenant service set.
  • Destructive actions require explicit approval and guardrails.

Open Questions

  • Quota strategy and thresholds for moving select tenants to account-per-tenant.
  • Routing layer implementation choice for shared-hostname fallback.
  • Standard for tenant provisioning automation inputs/outputs.