| | | |
| -------------------- | ------------------------------ | -------------------------------------------------------------------------------------------------------------------- |
| VPC / networking | qrodules_vpc | Creates the VPC, public subnets, private subnets, and availability zone layout. |
| ALB | qrodules_alb | Creates the public Application Load Balancer and HTTPS listener/certificate for site_url. |
| ALB listener rule | qrodules_alb_lr | Routes traffic from the ALB listener to the app target group. |
| WAF | qrodules_alb_waf | Protects the ALB with WAF rules. It partially excludes body-size restrictions for /import and /table-data. |
| S3 | qrodules_s3 | Creates the app bucket, named fuse-${environment}-s3, and related access secrets. Used by Django as AWS_BUCKET. |
| Redis | qrodules_redis | Creates Redis/ElastiCache for app caching or background queue usage. Can be made dormant with redis_dormant. |
| Sentry | qrodules_sentry | Looks up or configures an existing Sentry project and provides SENTRY_DSN. |
| Secret key | qrodules_secret_key | Creates/stores the Django SECRET_KEY. |
| Email / SES SMTP | qrodules_email | Creates email sender/SMTP credentials. Used for EMAIL_ADDRESS, EMAIL_HOST_USER, and password secret. |
| SharePoint secrets | aws_ssm_parameter data sources | Reads existing SSM parameters for SharePoint hostname, paths, client ID, client secret, and tenant ID. |
| Env vars | qrodules_env_vars | Collects plain and secret env vars that are injected into ECS tasks. |
| Generic secrets | qrodules_secrets | Provides DB master username/password used by the DB server module. |
| DB server | qrodules_db_server | Creates the PostgreSQL/RDS server, using Postgres engine 14, class db.t4g.medium, storage 120GB, max 1000GB. |
| DB app user/database | qrodules_db | Creates the app database/user and stores DATABASE_URL. Uses db_connection_port for Terraform-time DB connection. |
| Bastion | qrodules_bastion | Creates an EC2 bastion host for database/admin access. Whitelisted to one IP and connected to the DB security group. |
| Patcher | qrodules_patcher | Creates AWS Systems Manager patching/maintenance targeting EC2 instances tagged App = fuse. |
| ECS app | qrodules_ecs_app | Runs the actual app on ECS: web, nginx, beat, and worker containers. |
| Redis security rules | qrodules_redis_sgr_* | Allows ECS beat/web-nginx/worker task security groups to access Redis. |
| Developer access | qrodules_developer_access | Grants developer access to ECS cluster/log groups for this app/account. |
to search Sentry
| Variable | Used for |
| -------------------------- | ------------------------------------------------------------------------------------------------------------------ |
| environment | Chooses environment name: dev, qa, or prod. Also affects domains, CIDRs, S3 bucket name, Sentry environment, tags. |
| name_prefix | Prefix/name for almost all resources. From globals, always fuse. |
| aws_account_id | AWS account where Terraform operates. Dev: 145023138016, QA: 842675986960, Prod: 203918882214. |
| aws_region | AWS region. From globals: eu-west-3. |
| cidr | VPC CIDR. Prod uses 10.0.0.0/16, QA 10.1.0.0/16, Dev 10.2.0.0/16. |
| private_subnets | Private subnet CIDRs for ECS, Redis, DB. |
| public_subnets | Public subnet CIDRs for ALB and bastion. |
| availability_zones | Availability zones: eu-west-3a, eu-west-3b. |
| site_url | Public app hostname. Prod: fuse.altengroup.com; QA: fuse-qa.altengroup.com; Dev: fuse-dev.altengroup.com. |
| domain | Base domain: altengroup.com. |
| docker_tag | App version deployed to ECS. Dev uses latest, QA 0.1.0, Prod 0.20.0. |
| web_image | Web container image: ghcr.io/quickrelease/fuse/fuse-web. |
| nginx_image | Nginx container image: ghcr.io/quickrelease/fuse/fuse-nginx. |
| github_registry_secret_arn | Secret Manager ARN used by ECS to pull private GitHub container images. |
| dormant | Controls whether the ECS app is dormant/scaled down. QA is true; Prod is false; Dev defaults false. |
| redis_dormant | Controls whether Redis is dormant. QA is true; Prod is false; Dev does not pass it, so default is false. |
| web_cpu | CPU for ECS web task. Dev default 512; QA default 256; Prod overrides to 1024. |
| worker_memory | Memory for ECS worker task. Main default 1024; QA overrides default to 512. |
| connection_limit | DB connection limit. Main default 60; QA passes 30. |
| db_connection_port | Local/forwarded port Terraform uses to connect to DB. Dev 5443, QA 5444, Prod 5445. |
| use_owner_db_role | Whether app DB uses owner/product DB role instead of default Postgres role. Defaults false. |
| launch_type | ECS launch type override. Dev sets FARGATE; QA/Prod do not pass it, so module default is null. |
| smtp_endpoint | SES SMTP host: email-smtp.eu-west-3.amazonaws.com. |
| sentry_environment | Sentry environment name: fuse-dev, fuse-qa, fuse-prod. |
**Environment Differences**
```mermaid
flowchart TB
subgraph ENV["Terraform Environments"]
DEV["dev"]
QA["qa"]
PROD["prod"]
end
DEV --> GLOBALS
QA --> GLOBALS
PROD --> GLOBALS
GLOBALS["modules/globals
region, domain, CIDR, images,
subnets, registry secret ARN"]
GLOBALS --> MAIN["modules/main"]
subgraph AWS["AWS Account per Environment"]
PROVIDER["AWS Provider
assume role: terraform
region: eu-west-3"]
subgraph NETWORK["Networking"]
VPC["VPC
qrodules_vpc"]
PUB["Public Subnets"]
PRIV["Private Subnets"]
VPC --> PUB
VPC --> PRIV
end
subgraph EDGE["Public Edge"]
ALB["Application Load Balancer
qrodules_alb"]
CERT["TLS Certificate
site_url"]
LR["ALB Listener Rule
qrodules_alb_lr"]
WAF["AWS WAF
qrodules_alb_waf"]
DNS["site_url
fuse[-env].altengroup.com"]
PUB --> ALB
CERT --> ALB
ALB --> LR
WAF --> ALB
DNS --> ALB
end
subgraph APP["Application Runtime"]
ECS["ECS App
qrodules_ecs_app"]
WEB["Web Container
fuse-web"]
NGINX["Nginx Container
fuse-nginx"]
BEAT["Beat Task"]
WORKER["Worker Task"]
PRIV --> ECS
ECS --> WEB
ECS --> NGINX
ECS --> BEAT
ECS --> WORKER
LR --> ECS
end
subgraph DATA["Data Services"]
RDS_SERVER["PostgreSQL RDS Server
qrodules_db_server"]
RDS_DB["App DB/User
qrodules_db"]
REDIS["Redis / ElastiCache
qrodules_redis"]
S3["S3 Bucket
fuse-${environment}-s3"]
PRIV --> RDS_SERVER
RDS_SERVER --> RDS_DB
PRIV --> REDIS
ECS --> RDS_DB
ECS --> REDIS
ECS --> S3
end
subgraph SECRETS["Secrets and Configuration"]
ENVVARS["ECS Env Vars
qrodules_env_vars"]
SECRETKEY["Django SECRET_KEY
qrodules_secret_key"]
DBSECRETS["DB Master Secrets
qrodules_secrets"]
SSM["SharePoint SSM Parameters"]
REGISTRY["GitHub Registry Secret"]
SENTRY["Sentry Project
qrodules_sentry"]
EMAIL["SES SMTP / Email
qrodules_email"]
SECRETKEY --> ENVVARS
RDS_DB --> ENVVARS
REDIS --> ENVVARS
S3 --> ENVVARS
SSM --> ENVVARS
SENTRY --> ENVVARS
EMAIL --> ENVVARS
REGISTRY --> ECS
ENVVARS --> ECS
DBSECRETS --> RDS_SERVER
end
subgraph OPS["Operations and Access"]
BASTION["EC2 Bastion
qrodules_bastion"]
PATCHER["SSM Patcher
qrodules_patcher"]
DEVACCESS["Developer Access
qrodules_developer_access"]
LOGS["ECS Log Groups"]
PUB --> BASTION
BASTION --> RDS_SERVER
PATCHER --> BASTION
DEVACCESS --> ECS
ECS --> LOGS
DEVACCESS --> LOGS
end
end
MAIN --> PROVIDER
PROVIDER --> VPC
```