Pulumi project — infra/
AI-generated content
This document was generated by an AI assistant. Verify accuracy before relying on the details.
Source of truth: infra/README.md on GitHub.
What lives in infra/
A greenfield Pulumi (JavaScript) project that replaces the Azure AKS / Helm / Bitbucket Pipelines stack with:
- Multi-account AWS Organization:
adb-root,adb-ops,adb-logs,adb-shared,adb-production,adb-staging,adb-preview. - Centralised IAM via AWS IAM Identity Center, with groups
Admin,Engineer,Debug,Billing,Ops, andJail(an audit-only deny-everything-else lockdown permission). - ECS Fargate workloads for
productionandstaging. Per-PR ephemeral envs inadb-preview, with/deployand/destroyPR comments as triggers. - Cloudflare Pages for the
adb-uiAngular app. - Local
docker-composestack that runs all 9 Spring Boot services + UI + MongoDB + Keycloak + LocalStack with no external dependencies. - GitHub Actions for CI, PR previews, and branch deploys (
main→ staging,production→ prod with manual approval).
Stacks
| Stack | Account | Run when |
|---|---|---|
org | adb-root | Once, manually, by an admin |
identity | adb-ops | Once, then on group/permission changes |
logs | adb-logs | Once, then on retention changes |
shared | adb-shared | Once, then when adding ECR repos |
staging | adb-staging | Auto on push to main |
production | adb-production | Auto on push to production (with manual approval) |
pr-<N> | adb-preview | Auto on /deploy on PR <N>, destroyed on /destroy or PR close |
Layout (high-level)
infra/
├── Pulumi.yaml Pulumi project file
├── package.json JS deps (no TypeScript)
├── src/
│ ├── components/ Reusable Pulumi ComponentResources
│ ├── catalog/ Service registry (single source of truth for services + events)
│ ├── stacks/ Per-stack entry points
│ └── index.js Dispatch by stack name
├── stacks/ Per-stack Pulumi.<stack>.yaml configs
├── scripts/ Helper shell scripts (pr-deploy, pr-destroy, …)
└── docker/ Local docker-compose stack
Local dev
cd infra
make up # brings up MongoDB replica set, Keycloak, LocalStack, Mailpit, all services
make down
No external dependencies required.
Where to read more
infra/README.md— operations reference (kept up-to-date alongside the code).- Current AWS state — what's actually deployed today, and the gaps the Pulumi project is filling.
- MongoDB Atlas — Realm CLI setup — needed to audit / change the producer side of the EventBridge fanout.