/categories/infrastructure/ Recent content in Infrastructure on IGAAWI docs Hugo en-us Thu, 19 Mar 2026 00:00:00 +0000 /infrastructure/tools/ Thu, 19 Mar 2026 00:00:00 +0000 /infrastructure/tools/ <p>Please install the following tools:</p> <h2 id="argocd-cli">argocd cli</h2> <p><a href="https://argo-cd.readthedocs.io/en/stable/cli_installation/">https://argo-cd.readthedocs.io/en/stable/cli_installation/</a></p> <h2 id="aws-cli">aws cli</h2> <p><a href="https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html">https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html</a></p> <h2 id="aws-vault">aws-vault</h2> <p><a href="https://github.com/99designs/aws-vault">https://github.com/99designs/aws-vault</a></p> <div class="alert alert-warning" role="alert"> <h4 class="alert-heading">Important</h4> You specifically need 7.x version. If you run previous 6.x - things may not work for you. </div> <h2 id="git-crypt">git-crypt</h2> <p><a href="https://github.com/AGWA/git-crypt">https://github.com/AGWA/git-crypt</a></p> <h2 id="helm">helm</h2> <p><a href="https://helm.sh/docs/intro/install/">https://helm.sh/docs/intro/install/</a></p> <h2 id="kubectl">kubectl</h2> <p><a href="https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/">https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/</a></p> <h2 id="pre-commit">pre-commit</h2> <p><a href="https://pre-commit.com/#install">https://pre-commit.com/#install</a></p> <h2 id="taskfile">taskfile</h2> <p><a href="https://taskfile.dev/installation/">https://taskfile.dev/installation/</a></p> <p>Replaces our previous solution based on Makefile</p> <h2 id="terraform">terraform</h2> <p><a href="https://developer.hashicorp.com/terraform/install">https://developer.hashicorp.com/terraform/install</a></p> <h2 id="terragrunt">terragrunt</h2> <p><a href="https://terragrunt.gruntwork.io/docs/getting-started/install/">https://terragrunt.gruntwork.io/docs/getting-started/install/</a></p> <h2 id="tfenv">tfenv</h2> <p><a href="https://github.com/tfutils/tfenv">https://github.com/tfutils/tfenv</a></p> <p>Once you have tfenv installed, you can install a required terraform 1.8.0:</p> <div class="highlight"><pre tabindex="0" style="color:#4c4f69;background-color:#eff1f5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>tfenv install 1.8.0</span></span></code></pre></div> <h2 id="tfupdate">tfupdate</h2> <p><a href="https://github.com/minamijoyo/tfupdate">https://github.com/minamijoyo/tfupdate</a></p> /infrastructure/authentication/ Thu, 19 Mar 2026 00:00:00 +0000 /infrastructure/authentication/ <h2 id="aws">AWS</h2> <h3 id="configure-sso">Configure SSO</h3> <div class="alert alert-warning" role="alert"> <h4 class="alert-heading">Important</h4> <p>You will need to upgrade to latest:</p> <ul> <li>aws-vault 7.2.0,</li> <li>aws 2.15.38</li> </ul> <p>And then remove old <strong>saritasa/v2/administrators</strong> profile from the <code>~/.aws/config</code> file, otherwise you may get crashes.</p> </div> <div class="highlight"><pre tabindex="0" style="color:#4c4f69;background-color:#eff1f5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>aws configure sso </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>SSO session name <span style="color:#04a5e5;font-weight:bold">(</span>Recommended<span style="color:#04a5e5;font-weight:bold">)</span>: saritasa/v2/administrators </span></span><span style="display:flex;"><span>SSO start URL <span style="color:#04a5e5;font-weight:bold">[</span>None<span style="color:#04a5e5;font-weight:bold">]</span>: https://saritasa.awsapps.com/start </span></span><span style="display:flex;"><span>SSO region <span style="color:#04a5e5;font-weight:bold">[</span>None<span style="color:#04a5e5;font-weight:bold">]</span>: us-west-2 </span></span><span style="display:flex;"><span>SSO registration scopes <span style="color:#04a5e5;font-weight:bold">[</span>sso:account:access<span style="color:#04a5e5;font-weight:bold">]</span>: </span></span><span style="display:flex;"><span>Attempting to automatically open the SSO authorization page in your default browser. </span></span><span style="display:flex;"><span>If the browser does not open or you wish to use a different device to authorize this request, open the following URL: </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>https://device.sso.us-west-2.amazonaws.com/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Then enter the code: </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>LWGS-RVJX </span></span><span style="display:flex;"><span>There are <span style="color:#fe640b">3</span> AWS accounts available to you. </span></span><span style="display:flex;"><span>Using the account ID <span style="color:#fe640b">965067289393</span> </span></span><span style="display:flex;"><span>There are <span style="color:#fe640b">2</span> roles available to you. </span></span><span style="display:flex;"><span>Using the role name <span style="color:#40a02b">&#34;saritasa-administrators-role&#34;</span> </span></span><span style="display:flex;"><span>CLI default client Region <span style="color:#04a5e5;font-weight:bold">[</span>None<span style="color:#04a5e5;font-weight:bold">]</span>: us-west-2 </span></span><span style="display:flex;"><span>CLI default output format <span style="color:#04a5e5;font-weight:bold">[</span>None<span style="color:#04a5e5;font-weight:bold">]</span>: json </span></span><span style="display:flex;"><span>CLI profile name <span style="color:#04a5e5;font-weight:bold">[</span>saritasa-administrators-role-965067289393<span style="color:#04a5e5;font-weight:bold">]</span>: saritasa/v2/administrators </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>To use this profile, specify the profile name using --profile, as shown: </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>aws s3 ls --profile saritasa/v2/administrators </span></span></code></pre></div><p>then modify your <code>~/aws/profile</code> and change profile <code>saritasa-administrators-role-965067289393</code> to match the following. Change it&rsquo;s name <strong>saritasa/v2/administrators</strong> and include <code>credential_process</code> as shown below:</p> /infrastructure/terraform/ Thu, 19 Mar 2026 00:00:00 +0000 /infrastructure/terraform/ <h2 id="teragrunt">Teragrunt</h2> <p>Entire implementation is implemented as terraform. In order to use it, make sure you have <a href="https://terragrunt.gruntwork.io/">terragrunt</a> installed as per <a href="/infrastructure/tools/" title="Tools">tools requirements</a></p> <p>&#x1f680; Terraform repository: <a href="https://github.com/saritasa-nest/igaawi-infra-aws">saritasa-nest/igaawi-infra-aws</a></p> <div class="highlight"><pre tabindex="0" style="color:#4c4f69;background-color:#eff1f5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>➜ tree -d </span></span><span style="display:flex;"><span>. </span></span><span style="display:flex;"><span>├── bin </span></span><span style="display:flex;"><span>├── envs </span></span><span style="display:flex;"><span>│ ├── prod </span></span><span style="display:flex;"><span>│ │ ├── apps </span></span><span style="display:flex;"><span>│ │ │ ├── api-backend </span></span><span style="display:flex;"><span>│ │ │ └── frontend </span></span><span style="display:flex;"><span>│ │ ├── aws </span></span><span style="display:flex;"><span>│ │ │ ├── backups </span></span><span style="display:flex;"><span>│ │ │ ├── billing </span></span><span style="display:flex;"><span>│ │ │ ├── ecr </span></span><span style="display:flex;"><span>│ │ │ ├── eks </span></span><span style="display:flex;"><span>│ │ │ ├── elasticache </span></span><span style="display:flex;"><span>│ │ │ ├── guardduty </span></span><span style="display:flex;"><span>│ │ │ ├── notifications </span></span><span style="display:flex;"><span>│ │ │ ├── organizations </span></span><span style="display:flex;"><span>│ │ │ ├── rds </span></span><span style="display:flex;"><span>│ │ │ ├── route53 </span></span><span style="display:flex;"><span>│ │ │ ├── ses </span></span><span style="display:flex;"><span>│ │ │ ├── sso </span></span><span style="display:flex;"><span>│ │ │ └── vpc </span></span><span style="display:flex;"><span>│ │ └── platforms </span></span><span style="display:flex;"><span>│ │ ├── airbyte </span></span><span style="display:flex;"><span>│ │ ├── docs </span></span><span style="display:flex;"><span>│ │ ├── github </span></span><span style="display:flex;"><span>│ │ ├── keycloak </span></span><span style="display:flex;"><span>│ │ ├── opsgenie </span></span><span style="display:flex;"><span>│ │ ├── rattic </span></span><span style="display:flex;"><span>│ │ ├── redash </span></span><span style="display:flex;"><span>│ │ ├── reportportal </span></span><span style="display:flex;"><span>│ │ └── sentry </span></span><span style="display:flex;"><span>│ ├── root </span></span><span style="display:flex;"><span>│ │ ├── aws </span></span><span style="display:flex;"><span>│ │ │ ├── organizations </span></span><span style="display:flex;"><span>│ │ │ └── sso </span></span><span style="display:flex;"><span>│ │ └── platforms </span></span><span style="display:flex;"><span>│ │ └── terraform-state </span></span><span style="display:flex;"><span>│ └── security </span></span><span style="display:flex;"><span>│ ├── aws </span></span><span style="display:flex;"><span>│ │ ├── chatbot </span></span><span style="display:flex;"><span>│ │ ├── health </span></span><span style="display:flex;"><span>│ │ ├── inspector </span></span><span style="display:flex;"><span>│ │ ├── organizations </span></span><span style="display:flex;"><span>│ │ └── sso </span></span><span style="display:flex;"><span>│ └── platforms </span></span><span style="display:flex;"><span>│ └── statuscake </span></span><span style="display:flex;"><span>├── modules </span></span><span style="display:flex;"><span>│ ├── aws </span></span><span style="display:flex;"><span>│ │ ├── health-forwarder </span></span><span style="display:flex;"><span>│ │ └── secret-manager </span></span><span style="display:flex;"><span>│ │ └── secret </span></span><span style="display:flex;"><span>│ ├── gcp </span></span><span style="display:flex;"><span>│ │ └── service-account </span></span><span style="display:flex;"><span>│ ├── sentry-project </span></span><span style="display:flex;"><span>│ └── sso </span></span><span style="display:flex;"><span>│ └── iam-assumable-role-with-saml </span></span><span style="display:flex;"><span>├── stacks </span></span><span style="display:flex;"><span>│ ├── apps </span></span><span style="display:flex;"><span>│ │ ├── api-backend </span></span><span style="display:flex;"><span>│ │ └── frontend </span></span><span style="display:flex;"><span>│ ├── aws </span></span><span style="display:flex;"><span>│ │ ├── backups </span></span><span style="display:flex;"><span>│ │ ├── billing </span></span><span style="display:flex;"><span>│ │ ├── ecr </span></span><span style="display:flex;"><span>│ │ ├── eks </span></span><span style="display:flex;"><span>│ │ ├── elasticache </span></span><span style="display:flex;"><span>│ │ ├── guardduty </span></span><span style="display:flex;"><span>│ │ ├── notifications </span></span><span style="display:flex;"><span>│ │ ├── organizations </span></span><span style="display:flex;"><span>│ │ ├── rds </span></span><span style="display:flex;"><span>│ │ ├── route53 </span></span><span style="display:flex;"><span>│ │ ├── ses </span></span><span style="display:flex;"><span>│ │ ├── sso </span></span><span style="display:flex;"><span>│ │ └── vpc </span></span><span style="display:flex;"><span>│ ├── gcp </span></span><span style="display:flex;"><span>│ └── platforms </span></span><span style="display:flex;"><span>│ ├── airbyte </span></span><span style="display:flex;"><span>│ ├── docs </span></span><span style="display:flex;"><span>│ ├── github </span></span><span style="display:flex;"><span>│ ├── keycloak </span></span><span style="display:flex;"><span>│ ├── opsgenie </span></span><span style="display:flex;"><span>│ ├── rattic </span></span><span style="display:flex;"><span>│ ├── redash </span></span><span style="display:flex;"><span>│ ├── reportportal </span></span><span style="display:flex;"><span>│ ├── sentry </span></span><span style="display:flex;"><span>│ ├── statuscake </span></span><span style="display:flex;"><span>│ └── terraform-state </span></span><span style="display:flex;"><span>└── taskfiles </span></span></code></pre></div> <div class="alert alert-info" role="alert"> <h4 class="alert-heading">Important</h4> <ul> <li><strong>apps</strong> contains terraform code for business apps deployed in the infra, such as api-backend, frontend,</li> <li><strong>modules</strong> contains terraform reusable modules used in stacks/apps,</li> <li><strong>stacks</strong> contains infrastructure specific code, i.e. EKS, ECR, SSO, Route53 etc.</li> </ul> </div> <h3 id="apps">Apps</h3> <div class="highlight"><pre tabindex="0" style="color:#4c4f69;background-color:#eff1f5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>aws-vault <span style="color:#04a5e5">exec</span> igaawi/sso/administrators </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#4c4f69;background-color:#eff1f5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span><span style="color:#04a5e5">cd</span> envs/prod/apps/api-backend </span></span><span style="display:flex;"><span><span style="color:#04a5e5">export</span> <span style="color:#dc8a78">ENV</span><span style="color:#04a5e5;font-weight:bold">=</span>prod </span></span><span style="display:flex;"><span>tg init </span></span><span style="display:flex;"><span>tg apply </span></span></code></pre></div><p>If you want to see specific credentials generated inside the app you can do:</p> /infrastructure/backups/ Thu, 19 Mar 2026 00:00:00 +0000 /infrastructure/backups/ <h2 id="data-backup-and-recovery-in-the-igaawi-infrastructure">Data Backup and Recovery in the IGAAWI Infrastructure</h2> <h3 id="s3-buckets">S3 Buckets</h3> <p>The project uses S3 buckets for storing application data. The primary production bucket is:</p> <ul> <li><strong>Backend</strong>: <code>igaawi-prod-api-backend-bucket</code></li> </ul> <p>The bucket has versioning enabled and CORS configured for <code>wiperinstall.rainx.com</code> and <code>api.wiperinstall.rainx.com</code>. Public read access is configured for the <code>public/*</code> and <code>web/*</code> prefixes (AI models and 3D wiper models).</p> <div class="alert alert-info" role="alert"> <h4 class="alert-heading">Note</h4> S3 cross-region replication is currently <strong>disabled</strong>. The replication account is configured as the root account (<code>113727184156</code>) and can be enabled in terraform if needed (<code>s3_enable_replication = true</code> in <code>envs/prod/apps/api-backend/prod.tfvars</code>). </div> <p>See more instruction in the <a href="https://docs.aws.amazon.com/ru_ru/AmazonS3/latest/userguide/replication.html">official documentation #1</a> <a href="https://docs.aws.amazon.com/ru_ru/AmazonS3/latest/userguide/replication-walkthrough-2.html">official documentation #2</a></p> /infrastructure/cicd/ Thu, 19 Mar 2026 00:00:00 +0000 /infrastructure/cicd/ <h2 id="-cicd-pipeline-overview">⚙️ CI/CD Pipeline Overview</h2> <p>Our CI/CD pipeline is designed to provide a secure, automated, and efficient process for building and deploying applications in the <code>IGAAWI</code> infrastructure. Here&rsquo;s how it works.</p> <h3 id="cicd-flow">CI/CD Flow</h3> <pre class="mermaid">graph LR; A[Git Commit] --&gt; B[GitHub Webhook] B --&gt; C[EventListener - Tekton] C --&gt; D[Pipeline] D --&gt; E[Build and Push] E --&gt; F[Git Update] F --&gt; G[Argo CD Sync] G --&gt; H[Deployment]</pre> <h3 id="-gitops-in-cicd-tekton--argo-cd">🚀 GitOps in CI/CD: Tekton + Argo CD</h3> <p>In this project, we follow the <strong>GitOps methodology</strong>, where the <strong>Git repository acts as the single source of truth</strong> for both infrastructure and application configurations.</p> /infrastructure/gitops/ Thu, 19 Mar 2026 00:00:00 +0000 /infrastructure/gitops/ <h2 id="argocd-password">Argocd password</h2> <p>You can obtain argocd admin password from <strong>stacks/eks</strong> outputs:</p> <div class="highlight"><pre tabindex="0" style="color:#4c4f69;background-color:#eff1f5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>aws-vault <span style="color:#04a5e5">exec</span> igaawi/sso/administrators </span></span><span style="display:flex;"><span><span style="color:#04a5e5">cd</span> stacks/eks </span></span><span style="display:flex;"><span><span style="color:#04a5e5">export</span> <span style="color:#dc8a78">ENV</span><span style="color:#04a5e5;font-weight:bold">=</span>prod </span></span><span style="display:flex;"><span>tg output --json | jq -r .argocd.value </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#04a5e5;font-weight:bold">{</span> </span></span><span style="display:flex;"><span> <span style="color:#40a02b">&#34;password&#34;</span>: <span style="color:#40a02b">&#34;HIDDEN&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#40a02b">&#34;username&#34;</span>: <span style="color:#40a02b">&#34;admin&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#04a5e5;font-weight:bold">}</span> </span></span></code></pre></div><p>then proceed to <a href="https://argo-cd.teleport.wiperinstall.rainx.com/applications">argocd</a></p> <p>You can use taskfile argocd targets:</p> <table> <thead> <tr> <th>Command</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>argocd:aas</code></td> <td>turn on sync for the argocd app, task <code>argocd:aas -- apps backend</code></td> </tr> <tr> <td><code>argocd:aau</code></td> <td>turn off sync for the argocd app, task <code>argocd:aau -- apps backend</code></td> </tr> </tbody> </table> <p>or you can use any <a href="https://argo-cd.readthedocs.io/en/stable/cli_installation/">argocd cli</a> commands:</p> /infrastructure/dns/ Tue, 14 Oct 2025 00:00:00 +0000 /infrastructure/dns/ <h2 id="managing-the-domains">Managing the Domains</h2> <p>The project uses two primary domains:</p> <ul> <li><strong><code>wiperinstall.rainx.com</code></strong> — main domain for API, infrastructure services (ArgoCD, Tekton, Grafana)</li> <li><strong><code>wiperinstall.click</code></strong> — customer-facing frontend domain</li> </ul> <p><strong>DNS management is handled via Amazon Route53</strong>. This means that DNS configurations—such as A records, CNAMEs, and other record types—are handled and stored in <strong>hosted zones within Route53</strong>.</p> <p>The <strong>name servers (NS records)</strong> provided by Route53 were configured in the domain registrar settings. This delegates DNS resolution control to <a href="https://us-west-2.console.aws.amazon.com/route53/">AWS Route53</a>.</p>