Where we are
The foundation is in place. A containerised Symfony app running on AWS ECS Fargate, behind an Application Load Balancer with HTTPS, deployed automatically via GitHub Actions on every push to main. Infrastructure is managed entirely with Terraform, state stored in Terraform Cloud.
Environment variables and secrets are managed via SSM Parameter Store, keeping sensitive values out of the codebase and Terraform state.
The CI/CD pipeline handles both application and infrastructure changes — path detection determines what needs to run, code quality checks and infrastructure changes are gated appropriately, and the production deploy only runs once everything upstream is green. Infrastructure can be partially paused between sessions to keep costs down, with a single script to resume.
All Terraform configuration uses input variables, making the setup ready to extend to multiple environments.
A managed PostgreSQL database runs on RDS in a private subnet, with credentials stored in SSM Parameter Store. Database migrations run automatically on container startup via the entrypoint script.
ECS auto-scaling is in place, maintaining between 1 and 4 tasks based on CPU and memory utilisation.
ElastiCache runs Valkey 8.2 in a private subnet, used for caching and session storage. Sessions are Redis-backed ensuring consistency across multiple running tasks.
Using HCP Terraform workspace tags, a staging environment has been provisioned alongside production. Both workspaces share the same tag, meaning the same Terraform configuration provisions infrastructure for either environment depending on the active workspace. Modules keep the configuration DRY, avoiding the need to declare resources separately per environment.
Completed
- 9 April 2026 — Phase 1: ECR, VPC, ECS cluster, task definition, and service running with a public IP
- 11 April 2026 — Phase 2: ALB, HTTPS via ACM, private subnets, NAT gateway, Route 53 DNS
- 11 April 2026 — GitHub Actions pipeline: automated build, push to ECR, and ECS deployment
- 11 April 2026 — SSM Parameter Store: environment variables and secrets managed securely
- 11 April 2026 — Automated infrastructure pipeline: path detection, plan on PR, apply on merge
- 12 April 2026 — Terraform input variables: hardcoded values extracted, config ready for multiple environments
- 12 April 2026 — RDS: managed PostgreSQL in a private subnet, migrations on container startup
- 14 April 2026 — Manual and auto-scaling: target tracking on CPU and memory, min 1 / max 4 tasks
- 14 April 2026 — ElastiCache: Valkey 8.2 in a private subnet, cache and session storage
- 15 April 2026 — Multiple environments: HCP Terraform workspace tags, modules, staging and production environments
What's next
Infrastructure essentials
ECS one-off migration task — running database migrations as a separate ECS task that completes before the main service starts, rather than on container startup. A cleaner separation of concerns and closer to the pattern used in larger commercial deployments.
HCP Terraform organisation consolidation — migrate from the standalone robmeijer-uk organisation to the primary
robmeijer organisation, rename workspaces to follow a consistent robmeijer-uk-production / robmeijer-uk-staging
convention, and rename the project_name variable to environment_prefix to avoid confusion with HCP Terraform's own
Projects concept.
Compute and scaling
Canary deployments — gradually shifting traffic to a new version before fully cutting over, reducing the risk of a bad deployment reaching all users at once.
Rollback strategy — a reliable, tested process for reverting to a previous version quickly when a deployment goes wrong.
Lambda and SQS — event-driven worker pattern. Processing a queue with serverless functions, and understanding when Lambda is the right tool versus a long-running container.
CDN and caching
CloudFront — AWS's native CDN, sitting in front of the ALB to cache responses at the edge and reduce load on the application. The natural next layer for a production setup already running on AWS.
Fastly — a CDN exploration beyond the AWS ecosystem. HTTP caching at the edge, surrogate keys for cache invalidation, and how a CDN layer changes the architecture of a web application.
Cloudflare — a popular CDN and security platform that sits in front of your infrastructure regardless of where it's hosted. Covers CDN, DDoS protection, and edge compute via Cloudflare Workers. A good comparison point against the AWS-native CloudFront approach.
Database
Aurora Serverless v2 — AWS's cloud-native database engine, protocol-compatible with PostgreSQL but with automatic compute scaling and the ability to scale to zero when idle. Worth exploring as a cost-effective alternative to RDS for variable workloads.
Architecture exploration
API Gateway, VPC Link, and Cloud Map — a low-cost alternative to the Application Load Balancer, and the right pattern for microservices and Lambda-backed APIs.
Multiple services on one cluster — deploying a second app to the same ECS cluster, and understanding how to share infrastructure cleanly in Terraform.
CDK — exploring the same infrastructure through AWS Cloud Development Kit with TypeScript, and understanding how it compares to Terraform in a commercial context.
Spacelift — an infrastructure orchestration platform that sits on top of Terraform, adding workflow management, policy enforcement via Rego, drift detection, and stack dependency management. Used commercially alongside Terraform as an alternative to Terraform Cloud. Worth exploring as a potential path to help migrate from CDK to Terraform + Spacelift at work.
Further out
As the infrastructure matures, the site itself will evolve alongside it — moving from flat Markdown files to a database-backed content model, and eventually serving as a live demonstration of the patterns documented here.
The centralised infrastructure pattern — where a single repository manages infrastructure for multiple services, with each service contributing only a small configuration file — is worth exploring once the multiservice setup is in place.