Skip to content

Add AWS ECS Fargate reference deployment; remove EKS/old ECS#32

Open
jrozner wants to merge 3 commits into
mainfrom
aws-ecs-reference-deployment
Open

Add AWS ECS Fargate reference deployment; remove EKS/old ECS#32
jrozner wants to merge 3 commits into
mainfrom
aws-ecs-reference-deployment

Conversation

@jrozner

@jrozner jrozner commented Jun 27, 2026

Copy link
Copy Markdown
Member

Summary

Adds a new AWS reference deployment (modules/aws + examples/aws) that mirrors the existing GCP modules solution, using ECS Fargate as the compute layer. Removes the standalone ecs/ deployment and the eks/ Helm chart — k8s is no longer maintained.

Architecture

Component Implementation
ashirt-server ECS Fargate service behind an internal ALB
frontend (nginx) ECS Fargate service behind a public HTTPS ALB (ACM cert + Route53 alias); proxies API traffic to the internal server ALB
ocr-worker outbound-only ECS Fargate service that polls the server API
init/migrate one-shot ECS task run via aws ecs run-task, waited on; re-runs whenever tag changes, before ashirt-server is redeployed
database Aurora MySQL Serverless v2; DSN stored in Secrets Manager and injected into tasks
storage S3 evidence bucket
network VPC with public/private subnets across az_count AZs, IGW, single NAT gateway
IAM shared ECS execution role + per-service task roles

Encryption

Amazon-managed keys only — no customer-managed KMS keys are created:

  • S3: SSE-S3 (AES256)
  • Aurora: storage_encrypted = true with aws/rds
  • Secrets Manager: aws/secretsmanager

Notes for reviewers

  • Container image/env names follow the GCP module (ashirt/ashirt-server, ashirt/frontend, ashirt/ocr-worker, ashirt/init, STORE_*). Worth a smoke test against real image tags.
  • BACKEND=aws for the ocr-worker is assumed to map to Amazon Textract; the ocr-worker task role is granted textract:DetectDocumentText/AnalyzeDocument. Adjust ocr_worker_env + IAM if the image expects something else.
  • Frontend uses a plain public HTTPS ALB (matching GCP's default iap_enabled=false) with an allow_frontend_cidrs allowlist; there is no IAP-equivalent auth layer.
  • Both modules/aws and examples/aws pass terraform validate and terraform fmt.

@jrozner
Add AWS ECS Fargate reference deployment; remove EKS/old ECS
f0d7820 
Adds modules/aws + examples/aws, an opinionated serverless ASHIRT
deployment mirroring the GCP modules solution:

- ashirt-server, frontend, and ocr-worker on ECS Fargate
- public HTTPS ALB (ACM + Route53) for the frontend, internal ALB for
  the API; ocr-worker polls the API outbound-only
- Aurora MySQL Serverless v2, DSN in Secrets Manager
- S3 evidence bucket, single-NAT VPC across AZs
- one-shot ECS init task for DB migrations, re-run on tag change
- Amazon-managed encryption throughout (SSE-S3, aws/rds,
  aws/secretsmanager); no customer-managed KMS keys

Removes the standalone ecs/ deployment and the eks/ Helm chart; k8s
support is no longer maintained.
@jrozner jrozner requested a review from jkennedyvz as a code owner June 27, 2026 20:52
jrozner added 2 commits June 27, 2026 13:57
@jrozner
Add Terraform fmt/validate CI check
d0bd1ca 
Runs terraform fmt -check at the repo root and init -backend=false +
validate across modules/{aws,gcp} and examples/{aws,gcp} on PRs and
pushes to main. This is the credential-free equivalent of a plan check;
a live plan is omitted since it requires cloud credentials and an
existing Route53 zone.
@jrozner
Remove Under Construction notice from README
29067bd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkennedyvz jkennedyvz Awaiting requested review from jkennedyvz jkennedyvz is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jrozner