Provision a new environment
AI-generated content
This document was generated by an AI assistant. Verify accuracy before relying on the details.
For a brand-new fixed environment (not a PR preview — those use pr-deploy). Examples: a regulator-mandated isolated env, a major-version migration target, a tenant-specific environment.
Prerequisites
- An existing AWS account in the org (or the ability to create one — see
orgstack output). - The cross-account role
OrganizationAccountAccessRoleaccessible fromadb-rootto that account. - ACM cert for the env's hostname in
eu-west-3. - Cloudflare zone ID + API token if the new env needs a UI hostname.
Steps
cd infra
bash scripts/new-env.sh <env-name> <aws-account-id>
This:
- Copies
stacks/Pulumi.staging.yaml→stacks/Pulumi.<env-name>.yamlwithadb:accountIdsubstituted. - Runs
pulumi stack init <env-name>.
Then edit stacks/Pulumi.<env-name>.yaml to set:
adb:certificateArn— the ACM cert ineu-west-3for*.<env-name>.api.adb.example.adb:cloudflareZoneId— if you want a UI hostname.adb:firehoseArn— output from thelogsstack.adb:githubOidcArn— output from thesharedstack.
Seed the secrets:
MONGO_URI="mongodb+srv://..." \
KEYCLOAK_ISSUER_URI="https://<env>-keycloak…" \
KEYCLOAK_CLIENT_SECRET="..." \
SENDGRID_API_KEY="..." \
bash scripts/seed-secrets.sh <env-name>
Deploy:
pulumi up -s <env-name>
What gets provisioned
The env stack is the same shape as staging and production:
- VPC + 3 AZs + private/public subnets + NAT(s)
- ECS Fargate cluster + 9 services
- Public ALB + listener rules per service
- SQS queues + DLQs + DLQ alert SNS topics (from the catalog)
- S3 buckets
<env>-files-life-connect-fr,<env>-templates-life-connect-fr - CloudWatch log groups
- Secrets Manager containers (values you seeded above)
- Cloudflare Pages binding for the UI
Post-deploy
- Add the new env to
adb-doc/docs/concepts/ecs-deploy-lifecycle.mdif it's permanent. - If it has a separate Atlas project, document the producer-side mapping in
atlas-triggers.md. - Add a
## [YYYY-MM-DD] migrate | new env <name>line toadb-doc/log.md.
See also
- ECS Fargate deploy lifecycle — what the stack is doing under the hood.
- Current AWS state — for the existing org account inventory.