Skip to content

[AWS] Story 2: Data Layer (Aurora + Redis) #177

Open
Open
[AWS] Story 2: Data Layer (Aurora + Redis)#177
Labels
awsinfrastructurephase-6
@mfittko

Description

@mfittko
mfittko
opened on Dec 2, 2025

Problem Statement

The compute layer needs a production-ready data backend with encrypted storage,
controlled network access, and validated connectivity assumptions.

Scope

In scope:

  • Aurora PostgreSQL Serverless v2
  • Redis with TLS and auth
  • Secrets for database and cache access
  • Network policy needed for ECS-only access

Out of scope:

  • ECS service startup behavior
  • Migration execution from ECS
  • Load or failover testing beyond resource validation

Technical Approach

  • Provision Aurora with backup retention and encryption.
  • Provision Redis with in-transit and at-rest encryption.
  • Store credentials and connection material in Secrets Manager.
  • Restrict access through dedicated security groups.

Dependencies

Hard dependencies:

  • CDK foundation and config contract
    Blocks:
  • Compute layer
  • Production readiness gate

Acceptance Criteria

  • Aurora cluster deploys with Serverless v2
  • Redis cluster deploys with TLS enabled
  • Credentials stored in Secrets Manager
  • Security groups restrict access to ECS only
  • cdk deploy completes successfully

Proposed Definition Of Done

  • Aurora settings evidence is attached.
  • Redis TLS and auth settings evidence is attached.
  • Connectivity and denied-access test evidence is attached.
  • Backup and encryption settings are documented.

Validation Plan

  1. Confirm Aurora is deployed with Serverless v2 settings.
  2. Confirm Redis requires TLS and auth.
  3. Confirm non-ECS access is denied by security groups.
  4. Confirm secrets exist and are wired for downstream use.

Risks And Mitigations

  • Risk: TLS assumptions do not match app runtime.
    • Mitigation: Treat runtime connectivity proof as a blocking handoff.
  • Risk: Security group rules are broader than intended.
    • Mitigation: Include explicit denied-access validation.

Handoff Notes

This issue closes resource readiness, not application startup validation.
Runtime connectivity proof remains a hard gate for the compute story.

AC/DoD Coverage Matrix

Item Type (AC/DoD/Non-goal) Status (Met/Partial/Unmet/Unverified) Evidence (spec/tests/behavior) Notes
Aurora cluster deploys with Serverless v2 AC Unverified Deploy logs Source AC
Redis cluster deploys with TLS enabled AC Unverified Redis config evidence Source AC
Credentials stored in Secrets Manager AC Unverified Secret inventory Source AC
Security groups restrict access to ECS only AC Unverified SG tests Source AC
cdk deploy completes successfully AC Unverified Deploy logs Source AC
Aurora settings evidence is attached. DoD Unverified Issue evidence Proposed DoD
Redis TLS and auth settings evidence is attached. DoD Unverified Issue evidence Proposed DoD
Connectivity and denied-access test evidence is attached. DoD Unverified Issue evidence Proposed DoD
Backup and encryption settings are documented. DoD Unverified Docs or issue body Proposed DoD

Metadata

Metadata

Assignees

No one assigned

    Labels

    awsinfrastructurephase-6

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions