A production-grade cloud ecosystem designed as a professional "sandbox" to master advanced AWS architecture, Infrastructure as Code (IaC), and secure CI/CD patterns. This project moves beyond a simple static website, implementing a decoupled microservices-style architecture with automated security, cost transparency, and multi-environment orchestration.
The system is split into three core pillars—Infra, Backend, and Frontend—coordinated through a zero-trust deployment pipeline using OIDC and dynamic resource discovery via SSM.
- Infrastructure as Code (IaC): 100% automated provisioning using Terraform with remote S3 state and native S3 locking.
- Serverless Go Backend: High-performance API logic written in Go, deployed as AWS Lambda functions.
- Origin Shielding: Custom security "handshake" between CloudFront and API Gateway using a Lambda Authorizer to prevent direct backend access.
- Automated Secret Rotation: Go-based rotation function that updates security keys in AWS Secrets Manager.
- FinOps Observability: Automated billing observer that queries the AWS Cost Explorer API and displays real-time MTD costs on the UI.
- Zero-Trust CI/CD: Secure GitHub Actions pipelines using OIDC (OpenID Connect) to assume short-lived IAM roles.
- Dynamic Discovery: Cross-repository coordination using AWS SSM Parameter Store to share resource ARNs between pipelines.
- Modern Frontend: A responsive Vue.js and Tailwind CSS application bundled with Vite.
The architecture follows a serverless approach to maximize scalability while maintaining a near-zero cost floor. By utilizing managed services like AWS Lambda, API Gateway, and S3, the infrastructure scales to zero when not in use, eliminating the overhead of traditional server management.
The infrastructure leverages AWS Organizations to establish clear account boundaries and centralized governance. Each environment (Development and Production) is isolated within its own AWS account, following the multi-account best practices for security, billing separation, and blast radius containment.
Access management is handled through AWS IAM Identity Center (formerly AWS SSO), providing:
- Centralized authentication across all accounts in the organization
- Permission sets that define consistent IAM policies across environments
- Temporary credentials for human users, eliminating the need for long-lived access keys
- Audit trails for compliance and security monitoring
This setup ensures that development activities remain isolated from production resources while maintaining streamlined access for authorized personnel.
The project simulates a real-world production lifecycle across two isolated environments:
- Development: Rapid testing environment with caching disabled for immediate feedback.
- Production: High-availability stack with CloudFront caching, manual approval gates, and automated secret rotation.
The project is architected as a distributed system across three dedicated repositories:
| Repository | Purpose | Key Technologies |
|---|---|---|
| portfolio-infra | Foundations | Terraform, CloudFront, API Gateway, IAM, SSM |
| portfolio-backend | Logic & Security | Go, Lambda, Secrets Manager, Cost Explorer |
| portfolio-frontend | User Experience | Vue.js, Vite, Tailwind CSS, S3 |
Terraform variables are used to manage environment parity and specific resource policies:
# Example variable configuration (terraform.tfvars)
cloudfront_frontend_cache_policy = "CachingOptimized"
cloudfront_backend_cache_policy = "CachingDisabled"
origin_verify_rotation = 14 # Secret rotation every 14 days
lambda_log_retention = 30 # CloudWatch log expiry| Option | Technology | Description |
|---|---|---|
| State Storage | S3 | Persistent Terraform state with versioning |
| State Locking | S3 | Prevents concurrent execution (Native S3 locking) |
| Discovery | SSM Parameter Store | Bridge for cross-repo resource sharing |
| Secrets | AWS Secrets Manager | Centralized storage for "Origin-Verify" keys |
The deployment process follows GitHub Flow branching strategy and mimics an enterprise workflow with strict governance and security:
- GitHub Flow: Feature branches are created from
main, reviewed via Pull Requests, and merged back tomainupon approval. - Infrastructure PRs: When a PR is opened in the infra repository, the pipeline automatically generates a Terraform plan and posts it as a GitHub Summary comment on the PR for review before merging.
- Environment Promotion: Merging to
mainautomatically triggers deployment to the Development environment. Production deployments require manual dispatch.
- Identity: GitHub Actions requests a JWT from GitHub OIDC.
- Authorization: AWS IAM validates the JWT and issues temporary credentials via an IAM Role.
- Discovery: The pipeline queries SSM Parameter Store to retrieve the target S3 Bucket ARNs.
- Build:
- Frontend: Vite bundles Vue/Tailwind into a
dist/folder. - Backend: Go source is compiled into optimized Linux binaries.
- Infra: Generates a Terraform plan and displays it in GitHub Summary for review.
- Frontend: Vite bundles Vue/Tailwind into a
- Approval (Production Only):
- Manual workflow dispatch triggers a new Terraform plan.
- The plan is posted to GitHub Summary and awaits manual approval.
- Upon approval, the pipeline reruns the plan to detect any drift between initial plan and approval time.
- If no drift is detected, the apply proceeds; otherwise, a new approval cycle is triggered.
- Notification: Deployment status and logs are pushed to Slack.
- PR Summaries (Infra): Automated Terraform plan output is posted as a comment on Pull Requests, enabling reviewers to assess infrastructure changes before merging.
- Deployment Summaries: Each deployment generates a detailed GitHub Summary showing build artifacts, deployment status, and approval checkpoints to aid in decision-making.
To optimize costs and security, the API is shielded from public discovery:
- CloudFront injects a high-entropy secret header into every request.
- The Lambda Authorizer (Go) validates this header against Secrets Manager.
- Unauthorized requests bypassing the CDN are rejected at the API Gateway level.
- A dedicated Rotation Lambda is triggered based on the environment's rotation config.
- It generates a new secret, updates the Secrets Manager entry, and synchronizes the CloudFront distribution.
- This ensures the "handshake" key is rotated without manual intervention or downtime.
A key challenge in cloud engineering is balancing observability with operational costs. This project implements a "Cached Reporting" pattern to maintain visibility:
- Problem: Each request to the AWS Cost Explorer API costs $0.01. Exposing this API directly to a frontend would lead to significant, unpredictable costs from user refreshes or automated bots.
- Justification: By using an EventBridge Scheduler to trigger the Cost Reporter Lambda once per week (or month), the project keeps the total cost to a fraction of a cent per month.
- Result: Billing data is cached in DynamoDB. The frontend retrieves this cached data via the Go backend at virtually no cost, providing full transparency without the financial overhead of direct API calls.
