Life ConnectLife Connect
Wiki index
Architecture
Services
Concepts
Runbooks
Infra
Swagger Docs
GitHub
Wiki index
Architecture
Services
Concepts
Runbooks
Infra
Swagger Docs
GitHub
  • Runbooks

    • Run the local stack
    • Deploy a PR preview
    • Provision a new environment
Last updated 2026-05-03

Provision a new environment

AI-generated content

This document was generated by an AI assistant. Verify accuracy before relying on the details.

For a brand-new fixed environment (not a PR preview — those use pr-deploy). Examples: a regulator-mandated isolated env, a major-version migration target, a tenant-specific environment.

Prerequisites

  • An existing AWS account in the org (or the ability to create one — see org stack output).
  • The cross-account role OrganizationAccountAccessRole accessible from adb-root to that account.
  • ACM cert for the env's hostname in eu-west-3.
  • Cloudflare zone ID + API token if the new env needs a UI hostname.

Steps

cd infra
bash scripts/new-env.sh <env-name> <aws-account-id>

This:

  1. Copies stacks/Pulumi.staging.yaml → stacks/Pulumi.<env-name>.yaml with adb:accountId substituted.
  2. Runs pulumi stack init <env-name>.

Then edit stacks/Pulumi.<env-name>.yaml to set:

  • adb:certificateArn — the ACM cert in eu-west-3 for *.<env-name>.api.adb.example.
  • adb:cloudflareZoneId — if you want a UI hostname.
  • adb:firehoseArn — output from the logs stack.
  • adb:githubOidcArn — output from the shared stack.

Seed the secrets:

MONGO_URI="mongodb+srv://..." \
KEYCLOAK_ISSUER_URI="https://<env>-keycloak…" \
KEYCLOAK_CLIENT_SECRET="..." \
SENDGRID_API_KEY="..." \
bash scripts/seed-secrets.sh <env-name>

Deploy:

pulumi up -s <env-name>

What gets provisioned

The env stack is the same shape as staging and production:

  • VPC + 3 AZs + private/public subnets + NAT(s)
  • ECS Fargate cluster + 9 services
  • Public ALB + listener rules per service
  • SQS queues + DLQs + DLQ alert SNS topics (from the catalog)
  • S3 buckets <env>-files-life-connect-fr, <env>-templates-life-connect-fr
  • CloudWatch log groups
  • Secrets Manager containers (values you seeded above)
  • Cloudflare Pages binding for the UI

Post-deploy

  • Add the new env to adb-doc/docs/concepts/ecs-deploy-lifecycle.md if it's permanent.
  • If it has a separate Atlas project, document the producer-side mapping in atlas-triggers.md.
  • Add a ## [YYYY-MM-DD] migrate | new env <name> line to adb-doc/log.md.

See also

  • ECS Fargate deploy lifecycle — what the stack is doing under the hood.
  • Current AWS state — for the existing org account inventory.
Edit this page
Last Updated:
Contributors: Yevhenii Khudolii
Prev
Deploy a PR preview