AWS Infrastructure¶
TL;DR — 2 AWS accounts (DEV
766597584338, PROD137355570712), 4 environments (dev, rc, sandbox, prod), 1 EKS cluster per environment, spot instances everywhere except prod.
Overview¶
Securitize runs its backend on Kubernetes (AWS EKS), split across two AWS accounts:
- AWS DEV hosts the lower environments (
devandrc). - AWS PROD hosts
sandboxandproduction.
Each environment has its own EKS cluster, its own global secrets (Kubernetes Secrets, per env), and its own Jenkins deploy pipeline.
AWS accounts (SSOT)¶
| Account | Account ID | Alias | CLI profile | Environments |
|---|---|---|---|---|
| AWS DEV | 766597584338 |
Securitize-dev |
default (or dev) |
dev, rc |
| AWS PROD | 137355570712 |
— | prod |
sandbox, production |
This page is the SSOT for AWS account IDs.
Every other page that mentions AWS accounts links back here instead of repeating the IDs.
Kubernetes / EKS¶
- Orchestration: Kubernetes on AWS EKS.
- Clusters: 1 cluster per environment (
dev,rc,sandbox,prod). - Containerization: Docker.
- Backend tech:
- Majority: NestJS (TypeScript).
- Legacy: some services on Express + TypeScript.
Service types¶
| Type | Exposure | Notes |
|---|---|---|
| Microservices (internal) | Not publicly exposed. Accessible via VPN. | The majority of backend services. |
| Gateways | Publicly exposed via ingress. | NestJS services consumed by the frontends. |
Ingress rules per environment live in the ops-k8s-infra repo — see ops-repos.md.
Spot vs on-demand strategy¶
| Environment | Instance type | Behavior |
|---|---|---|
dev, rc, sandbox |
Spot instances | Pods rotate frequently (evictions and rescheduling are normal). Restart loops can be spot-induced, not a bug. |
prod |
On-demand | Stable scheduling. |
Debugging pod restarts in lower envs
Before investigating a pod restart in dev/rc/sandbox, check if the node was evicted. Spot rotation is the default assumption, not an incident.
Environments and promotion¶
| Environment | Purpose |
|---|---|
dev |
Team development and integration. |
rc |
Release candidate — QA runs daily automation here. |
sandbox |
Pre-prod in the PROD AWS account. |
prod |
Production. |
Promotion flow (branch → environment) is a Jenkins concern — see jenkins-k8s-jobs.md.
Kubernetes secrets (per environment)¶
Every environment has its own set of Kubernetes Secrets (global + per-service). Secret values are never committed to git — only references via secretRef / env.valueFrom.secretKeyRef in each service's deployment.yaml.
Full documentation — including the list of global secrets, per-service references, NPM token handling, and the rotation runbook — lives in secrets.md.
IaC coverage¶
- Base AWS infra (VPC, RDS, Redis, EKS, networking): primarily configured manually through the AWS Console. A subset is managed with Terraform, which lives in the
ops-infra+ops-terraform-modulesrepos — see ops-repos.md. - Frontend infra (S3 + CloudFront): modern frontends define it via SST/CDK in their
infra/folder. Legacy frontends use a different deploy path (see frontend-architecture.md).
See also¶
- Databases & External Services — Specific database engines, Kafka clusters, self-hosted tools.
- Ops Repositories — Terraform state, cluster manifests, kops scripts.
- Secrets — K8s secrets + NPM token rotation runbook.
- Jenkins K8s Jobs — How deploys target specific environments.