Fake Business AWS Infrastructure

This repository houses the Terraform infrastructure code for all of the operating environments for fakebusiness services. All of the included resources are listed below.

Under the hood in AWS, fakebusiness leverages the following:

• AWS Elastic Container Service for Web and Worker container hosting.
• AWS Application Load Balancer for managing web connections.
• AWS Relational Database Service for the PostGres db.
• AWS S3 bucket for storing attachments.
• S3 Bucket and Cloudfront for the React application.
• MSK Serverless for Managed Kafka
• Event-driven lambdas for s3 bucket events
• Twingate VPN

NextJS Application

Uses Terraform for management of non-ecs resources, like the RDS PostGres database, as well as all of the networking and cluster configuration. Everything else ECS-centric is managed using ECS Deployer. ECS Deployer allows us to host multiple environments and multiple ECS services, as well as some other niceties, in a single config set. ECS Deployer configuration files can be found in the .ecsdeployer/ directory in the fakebusiness Web App repo.

We can also leverage the companion Remote Shell Client, which allows you to create a session in any Operating Environment without disturbing the existing services. This method is great for spelunking and investigating issues in non-local AWS environments, as you have the exact same configs and settings as the actual running application.

Marketing

The Fake Business Client is hosted inside of a S3+Cloudfront+WAF Holy Trinity. The S3 bucket houses the live build in a directory called current. The site files inside of current directory represent what is served to the client when they hit a naked domain like app.fakebusiness.com. Outside of that, there will be additional directories in the bucket meant to represent past builds, used for comparison in QA efforts. Previous versions and shas are available in a given environment at <sha>.site.dev.fakebusiness.com or <version>.site.staging.fakebusiness.com. In addition to serving the S3 bucket content on the global distribution network, the Cloudfront also houses a lambda function that provides the dynamic routing described above. The source code for this lambda lives in this repo under the /functions directory.

If addition to the standard S3 Cloudfront combo, I implemented a global Web Access Firewall on the Cloudfront distro. This WAF is meant to block international traffic, and provide a strict IP Whitelisting experiencing for pre-production environments. Updates to the WAF should be made with great caution. The Whitelist IP addresses are housed in the variables.tf file, and currently only include the public IP address of the AWS VPN.

ECS Application

The fakebusiness-API uses Terraform for management of non-ecs resources, like the RDS PostGres database, as well as all of the networking and cluster configuration. Everything else ECS-centric is managed using ECS Deployer. ECS Deployer allows us to host multiple environments and multiple ECS services, as well as some other niceties, in a single config set. ECS Deployer configuration files can be found in the .ecsdeployer/ directory in the fakebusiness API repo.

We can also leverage the companion Remote Shell Client, which allows you to create a session in any Operating Environment without disturbing the existing services. This method is great for spelunking and investigating issues in non-local AWS environments, as you have the exact same configs and settings as the actual running application.

Cognito

Currently, fakebusiness uses AWS Cognito as a User Service. While this service is configured inside of this Terraform file, there are limitations imposed by AWS that limit the effectiveness of Terraform to manage user pools. Please, use caution when editing the configuration for the Cognito, as most changes will require a destorying of some element to recreate.

Operating Environments

These operating environments are managed in the Terraform Workspaces.

Name	App	API
dev	app.dev.fakebusiness.com	api.dev.fakebusiness.com
staging	app.staging.fakebusiness.com	api.staging.fakebusiness.com
prod	app.fakebusiness.com	api.fakebusiness.com

Connecting to AWS Console UI

Easy, peesy. Log in at https://fakebusiness.awsapps.com/start and select the account you want to access.

Connecting to AWS via AWSCLI or other command-line tools

This one requires a little setup. Follow this :

1. install the awscli with brew install awscli.
2. Setup your ~/.aws/config with profiles that look like this note: you may not have AdministratorAccess, in which case, make more important friends.

; Fake Business
[profile fakebusiness-production]
sso_start_url = https://fakebusiness.awsapps.com/start 
sso_region = us-east-1
sso_account_id = 767398123958
sso_role_name = AdministratorAccess
region = us-east-1
output = json

[profile fakebusiness-staging]
sso_start_url = https://fakebusiness.awsapps.com/start 
sso_region = us-east-1
sso_account_id = 730335234660
sso_role_name = AdministratorAccess
region = us-east-1
output = json

[profile fakebusiness-dev]
sso_start_url = https://fakebusiness.awsapps.com/start 
sso_region = us-east-1
sso_account_id = 891377140782
sso_role_name = AdministratorAccess
region = us-east-1
output = json

3. next, going to add a snippet to our ~/.zshrc file that will make it buttery smooth to login with SSO.

function aws-login {
  profile="$1";
  if [ -z "$profile" ]; then
    echo "Profile is required as first argument.";
    return
  fi   

  echo "Using SSO account"
  aws sso login --profile "$profile";
  eval "$(aws configure export-credentials --profile "$profile" --format env)";
  export AWS_PROFILE=$profile;
  echo "AWS_PROFILE set to $profile"
}

Using MSK Kafka Locally

1. Install kafka with brew brew install kafka wget
2. Download the IAM MSK Auth magic

cd /opt/homebrew/opt/kafka/libexec/libs
wget https://github.com/aws/aws-msk-iam-auth/releases/download/v1.1.1/aws-msk-iam-auth-1.1.1-all.jar

3. add the client.properties file to wherever you are going to run your commands from. I keep it right here.
4. Connect to the VPN
5. Auth to AWS using aws-login
6. run kafka commands referencing the config. Here is an example. Notice the bootstrap server is per env :

kafka-topics --bootstrap-server boot-s1wuzf1s.c2.kafka-serverless.us-east-1.amazonaws.com:9098 --command-config client.properties --create --topic  files --partitions 2

Now, when you want to log in to an AWS account, use aws-login <profile-name> aka aws-login fakebusiness-dev. Website will ask you to verify and sign-in.

CI/CD Flow

1. New branch from main, ideally named from Github Issue like #20/Do-the-thing or with ownership like Username/#20
2. Make changes, creating a draft Pull Request for easy collaboration without triggering any Github Deployment Actions.
3. When you are ready to party, undraft. Automated workflows including testing, linting and validations will run and complete (hopefully).
4. Github Actions will deploy a temporary environment for your Pull Request. Subsequent updates to the Pull Request will be deployed to this infrastructure. That Github Action lives here.
5. After reviewing the code changes and the preview URL as needed, approve the code, and merge the Pull Request to main.
6. With the merge to main branch, the dev environment is updated. That Github Workflow lives here.
7. Whatever the reason, you create a new Release in Github with proper semantic versioning, and mark it as a prerelease. This deploys the staging environment.
8. QA efforts prove uneventful. Perfect. Sounds like Production o'clock. In Github, edit the release and uncheck the prerelease box and Save.
9. Apply sunscreen, unfold beach chair, and bask in orange glow of a new feature making it all the way to production

Secrets and Configurations

This application leverages a few ways to manage configurations and secrets.

• Github Project Secrets - There are three secret values that are only used in the CI pipelines in github. They include AWS Credentials and a Slack Webhook URL. Use Github Secrets for all sensitive values. They are easy to inject into the CI pipelines using the ${{ secrets.WHATEVER_THE_SECRET_KEY_IS }}
• SSM - The ECS Task Definitions use SSM to pass the Database URL and S3 application bucket from the Terraform CI process.

Changing Configs to AWS/Terraform

All of the default configurations for Terraform live in variables.tf in this repository. Changing these values may impact every environment on apply. In addition to the defaults, you can override specific env vars in the CI process in the various Github workflows. They are prefixed with TF_VAR so they are easy to distinguish.

  - name: Terraform Apply
    id: apply
    env: 
      TF_WORKSPACE: staging
      TF_VAR_db_postgres_version: "15.3"
      TF_VAR_db_parameter_group: "default.postgres15"
      TF_VAR_db_instance_class: "db.t3.micro"
      TF_VAR_slack_webhook_url: ""
    run: terraform apply -no-color --auto-approve
    continue-on-error: false

Adding Secrets to fakebusiness-Client

Secrets for the client are managed in the CI process, because they are needed at build time in each environment. Here is an example of environment variables at the Job level in Github Actions.

build:
  name: Build and Deploy Review Environment
  needs: test
  if: ${{ ! github.event.pull_request.draft }}
  runs-on: ubuntu-latest
  concurrency:
    group: ${{ github.ref }}-build
    cancel-in-progress: true
  permissions:
    contents: read
    pull-requests: write
    id-token: write
  env:
    REACT_APP_ALIX_GRAPHQL_API: "https://dev.api.fakebusiness.com/graphql" 
    REACT_APP_AWS_REGION: us-east-1
    REACT_APP_COGNITO_USERPOOL_ID: us-east-1_ngIaKZuB2
    REACT_APP_COGNITO_CLIENT_ID: 3h6ron68mkv94hd8bok2fno93j
    CI: false
    TSC_COMPILE_ON_ERROR: true
    ESLINT_NO_DEV_ERRORS: true

Adding Secrets to fakebusiness-API

Secrets and environment variables are handled in the ECS Deployer configurations. They leverage both plain-text and SSM values.

environment:
  SOMEVARNAME: foobar
  APP_BUCKET:
    ssm: /fakebusiness/staging/APP_BUCKET
  DATABASE_URL:
    ssm: /fakebusiness/staging/DATABASE_URL

Working with this Repo

Assuming you started with this template, here is what is recommended to do next:

1. Install pre-commit with pre-commit install.
2. Update the information in the provider.tf. You will need to add the information about state, as well as default tags. To attain Terraform State bucket configurations, ask a DevOps Engineer, or create your own bucket.
3. Initiate the Terraform state with terraform init.
4. Start adding resources to main.tf, variables to variables.tf, Add relevant outputs to outputs.tf and so forth.
5. Plan your changes with terraform plan.
6. Commit your changes. The pre-commit process will lint your code for you as part of the commit process.

Terraform Infrastructure Documentation

Inputs

Name	Description	Type	Default	Required
availability_zones	List of availability zones in the region	map(string)	{ "us-east-1": "us-east-1a,us-east-1b,us-east-1c" }	no
aws_accounts	list of aws accounts	list(string)	[ "767398123958", "730335234660", "891377140782" ]	no
conduktor_admin_password	Admin password for Conduktor service	string	n/a	yes
datadog_api_key	Datadog API Key	string	n/a	yes
db_instance_class	Size and Class for the RDS Postgres instance	string	"db.t3.micro"	no
db_password	database password	string	n/a	yes
db_postgres_version	Postgres database version	string	"16.2"	no
db_storage	Postgres allocated storage	number	20	no
google_client_id	Google Client ID for SSO Cognito App	string	n/a	yes
google_client_secret	Google Client Secret for SSO Cognito App	string	n/a	yes
kafka_instance_class	MSK Kafka instance class	string	"kafka.t3.small"	no
project	Identifier for the project	string	"fakebusiness"	no
region	AWS Region to deploy resources in	string	"us-east-1"	no
rudderstack_data_plane_url	Rudderstack Data Plane URL	string	n/a	yes
rudderstack_write_key	Rudderstack Write Key	string	n/a	yes
sentry_auth_token	Sentry Auth Token	string	n/a	yes
slack_webhook	Slack Webhook URL for Cloudwatch Alerts	string	"https://hooks.slack.com/services/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"	no
twingate_token	Twingate Network Access Token	string	n/a	yes

Resources

Name	Type
aws_acm_certificate.primary	resource
aws_acm_certificate_validation.ssl_cert	resource
aws_budgets_budget.total	resource
aws_cloudfront_cache_policy.assets	resource
aws_cloudfront_cache_policy.site	resource
aws_cloudfront_distribution.assets	resource
aws_cloudfront_distribution.site	resource
aws_cloudfront_function.build_viewer_request	resource
aws_cloudfront_origin_access_control.assets	resource
aws_cloudfront_origin_access_control.main	resource
aws_cloudfront_origin_access_control.site	resource
aws_cloudfront_response_headers_policy.assets	resource
aws_cloudfront_response_headers_policy.site	resource
aws_cloudwatch_log_group.conduktor	resource
aws_cloudwatch_log_group.flow_logs	resource
aws_cloudwatch_log_group.msk	resource
aws_cloudwatch_log_group.name	resource
aws_cloudwatch_metric_alarm.ecs_cpu	resource
aws_cloudwatch_metric_alarm.kafka_data_logs_disk_used	resource
aws_cloudwatch_metric_alarm.msk_cpu_credit	resource
aws_cloudwatch_metric_alarm.nat_gateway_usage	resource
aws_cloudwatch_metric_alarm.rds_read_latency	resource
aws_cloudwatch_metric_alarm.rds_storage_space	resource
aws_cloudwatch_metric_alarm.rds_write_latency	resource
aws_cognito_identity_provider.google	resource
aws_cognito_user_pool.main	resource
aws_cognito_user_pool_client.client	resource
aws_cognito_user_pool_domain.domain	resource
aws_db_instance.conduktor	resource
aws_db_instance.primary	resource
aws_db_parameter_group.primary	resource
aws_db_subnet_group.ecs	resource
aws_ecr_repository.api	resource
aws_ecr_repository.app	resource
aws_ecr_repository_policy.api_ecr_policy	resource
aws_ecr_repository_policy.app_ecr_policy	resource
aws_ecs_cluster.primary	resource
aws_ecs_cluster_capacity_providers.primary	resource
aws_ecs_service.conduktor	resource
aws_ecs_task_definition.conduktor	resource
aws_eip.nat	resource
aws_flow_log.flow_logs	resource
aws_flow_log.primary	resource
aws_iam_openid_connect_provider.github	resource
aws_iam_role.api	resource
aws_iam_role.app	resource
aws_iam_role.conduktor	resource
aws_iam_role.datadog	resource
aws_iam_role.ecs_execution	resource
aws_iam_role.flow_logs	resource
aws_iam_role.github	resource
aws_iam_role.rds_enhanced_monitoring	resource
aws_iam_role.slack_iam_for_lambda	resource
aws_iam_role_policy.api_policy	resource
aws_iam_role_policy.app_policy	resource
aws_iam_role_policy.conduktor_policy	resource
aws_iam_role_policy.ecs_execution_policy	resource
aws_iam_role_policy.flow_logs	resource
aws_iam_role_policy.github	resource
aws_iam_role_policy_attachment.rds_enhanced_monitoring	resource
aws_iam_role_policy_attachment.readonly_role_policy_attach	resource
aws_iam_role_policy_attachment.readonly_role_policy_attachment	resource
aws_internet_gateway.primary	resource
aws_lambda_function.slack_sns	resource
aws_lambda_permission.with_sns	resource
aws_lb.web	resource
aws_lb_listener.http	resource
aws_lb_listener.https	resource
aws_lb_listener_rule.api	resource
aws_lb_listener_rule.conduktor	resource
aws_lb_target_group.api	resource
aws_lb_target_group.app	resource
aws_lb_target_group.conduktor	resource
aws_msk_cluster.main	resource
aws_msk_configuration.main	resource
aws_msk_configuration.main37	resource
aws_msk_configuration.production	resource
aws_nat_gateway.primary	resource
aws_route.primary_internet_public	resource
aws_route.primary_nat_private	resource
aws_route53_record.amazonses_verification_record	resource
aws_route53_record.api	resource
aws_route53_record.app	resource
aws_route53_record.assets	resource
aws_route53_record.conduktor	resource
aws_route53_record.ses_domain_mail_from_mx	resource
aws_route53_record.ses_domain_mail_from_txt	resource
aws_route53_record.ssl_cert	resource
aws_route53_record.www	resource
aws_route53_zone.primary	resource
aws_route_table.primary_private	resource
aws_route_table.primary_public	resource
aws_route_table_association.private	resource
aws_route_table_association.public	resource
aws_s3_bucket.alb_logs	resource
aws_s3_bucket.assets	resource
aws_s3_bucket.assets_access_logs	resource
aws_s3_bucket.document_bucket	resource
aws_s3_bucket.email	resource
aws_s3_bucket.flow_logs	resource
aws_s3_bucket.site	resource
aws_s3_bucket.site_access_logs	resource
aws_s3_bucket_acl.alb_logs	resource
aws_s3_bucket_acl.assets_access_logs	resource
aws_s3_bucket_acl.document_bucket	resource
aws_s3_bucket_acl.flow_logs	resource
aws_s3_bucket_acl.site_access_logs	resource
aws_s3_bucket_cors_configuration.assets	resource
aws_s3_bucket_cors_configuration.example	resource
aws_s3_bucket_cors_configuration.site	resource
aws_s3_bucket_lifecycle_configuration.assets	resource
aws_s3_bucket_lifecycle_configuration.site	resource
aws_s3_bucket_logging.alb_logs	resource
aws_s3_bucket_logging.assets	resource
aws_s3_bucket_logging.document_bucket	resource
aws_s3_bucket_logging.flow_logs	resource
aws_s3_bucket_logging.site	resource
aws_s3_bucket_ownership_controls.alb_logs	resource
aws_s3_bucket_ownership_controls.assets	resource
aws_s3_bucket_ownership_controls.assets_access_logs	resource
aws_s3_bucket_ownership_controls.document_bucket	resource
aws_s3_bucket_ownership_controls.flow_logs	resource
aws_s3_bucket_ownership_controls.site	resource
aws_s3_bucket_ownership_controls.site_access_logs	resource
aws_s3_bucket_policy.alb_logs	resource
aws_s3_bucket_policy.assets	resource
aws_s3_bucket_policy.assets_access_logs	resource
aws_s3_bucket_policy.document_bucket	resource
aws_s3_bucket_policy.email	resource
aws_s3_bucket_policy.flow_logs	resource
aws_s3_bucket_policy.site	resource
aws_s3_bucket_policy.site_access_logs	resource
aws_s3_bucket_public_access_block.assets	resource
aws_s3_bucket_public_access_block.site	resource
aws_s3_bucket_server_side_encryption_configuration.assets	resource
aws_s3_bucket_server_side_encryption_configuration.site	resource
aws_s3_bucket_versioning.assets	resource
aws_s3_bucket_versioning.site	resource
aws_security_group.alb_public	resource
aws_security_group.ecs	resource
aws_security_group.msk	resource
aws_security_group.rds	resource
aws_security_group_rule.alb_public_443_platform	resource
aws_security_group_rule.alb_public_80_platform	resource
aws_security_group_rule.alb_vpn	resource
aws_security_group_rule.ecs_egress	resource
aws_security_group_rule.ecs_self	resource
aws_security_group_rule.ecs_sg_http	resource
aws_security_group_rule.ecs_sg_http2	resource
aws_security_group_rule.ecs_sg_https	resource
aws_security_group_rule.ecs_sg_web	resource
aws_security_group_rule.ecs_vpn	resource
aws_security_group_rule.lb_egress	resource
aws_security_group_rule.lb_ingress_cloudfront	resource
aws_security_group_rule.msk_ecs	resource
aws_security_group_rule.msk_egress	resource
aws_security_group_rule.msk_local	resource
aws_security_group_rule.msk_self	resource
aws_security_group_rule.msk_vpn	resource
aws_security_group_rule.rds_egress	resource
aws_security_group_rule.rds_postgres_ecs	resource
aws_security_group_rule.rds_postgres_vpn	resource
aws_ses_domain_identity.main	resource
aws_ses_domain_identity_verification.main_verification	resource
aws_ses_domain_mail_from.main	resource
aws_ses_identity_notification_topic.main	resource
aws_ses_identity_policy.main	resource
aws_ses_receipt_rule.store	resource
aws_ses_receipt_rule_set.main	resource
aws_sns_topic.cloudwatch_alerts	resource
aws_sns_topic_subscription.topic_lambda	resource
aws_ssm_parameter.cognito_client_id	resource
aws_ssm_parameter.cognito_user_pool	resource
aws_ssm_parameter.datadog_api_key	resource
aws_ssm_parameter.global	resource
aws_ssm_parameter.kafka_bootstrap_servers	resource
aws_ssm_parameter.rudderstack_data_plane_url	resource
aws_ssm_parameter.rudderstack_write_key	resource
aws_ssm_parameter.sentry_auth_token	resource
aws_ssm_parameter.zookeeper_connect_string	resource
aws_subnet.private	resource
aws_subnet.public	resource
aws_vpc.primary	resource
aws_wafv2_ip_set.ip_whitelist	resource
aws_wafv2_web_acl.firewall	resource
twingate_resource.api	resource
twingate_resource.app	resource
twingate_resource.conduktor	resource
twingate_resource.kafka_broker	resource
twingate_resource.site	resource
twingate_resource.vpc	resource

Outputs

Name	Description
acm_cert_arn	some description
api_url	API URL
app_url	Web App URL
assets_bucket_name	Name of the assets bucket
assets_url	Assets URL
bootstrap_brokers_iam	TLS connection host:port pairs
cognito_client_id	ID of the Cognito Client
cognito_user_pool_id	ID of the Cognito User Pool
conduktor_url	Conduktor URL
database_url	URL to the RDS postgres database
document_bucket_arn	ARN of the document bucket
document_bucket_name	Name of the document bucket
domain	Domain for the project environment
email_bucket	SES Email storage bucket ARN
email_bucket_name	Name of the email bucket
github_oidc_role_arn	Github OIDC Role ARN
kafka_arn	ARN of the Serverless Managed Kafka
kafka_bootstrap_servers	Bootstrap Servers of the Serverless Managed Kafka
nat_gateway_ip	NAT Gateway IP address
route53_nameservers	some description
route53_zone_id	some description
ses_arn	ARN for the SES domain
site_bucket_name	Name of the marketing site bucket
site_url	Website URL
zookeeper_connect_string	Kafka Zookeeper connection string

Providers

Name	Version
archive	2.4.2
aws	5.53.0
twingate	3.0.4

Modules

Name	Source	Version
twingate	./modules/twingate-connector	n/a

DEVELOPMENT

Name	Description	Value	Sensitive
acm_cert_arn	some description	"arn:aws:acm:us-east-1:891377140782:certificate/c78aa62c-b775-4672-8c88-c39c84563b12"	no
api_url	API URL	"https://api.dev.fakebusiness.com"	no
app_bucket_name	Name of the web app bucket	"fakebusiness-app-dev"	no
app_url	API URL	"https://app.dev.fakebusiness.com"	no
cognito_client_id	ID of the Cognito Client	"37bev9vimuakocf45d4mrdscus"	no
cognito_user_pool_id	ID of the Cognito User Pool	"us-east-1_Lj117fjcj"	no
database_url	URL to the RDS postgres database	"postgres://fakebusiness:PASSWORD@fakebusiness-dev.cfcess626hnv.us-east-1.rds.amazonaws.com:5432/fakebusiness"	no
document_bucket_arn	ARN of the document bucket	"arn:aws:s3:::fakebusiness-documents-dev"	no
document_bucket_name	Name of the document bucket	"fakebusiness-documents-dev"	no
domain	Domain for the project environment	"dev.fakebusiness.com"	no
github_oidc_role_arn	Github OIDC Role ARN	"arn:aws:iam::891377140782:role/fakebusiness-github-actions"	no
kafka_arn	ARN of the Serverless Managed Kafka	"arn:aws:kafka:us-east-1:891377140782:cluster/fakebusiness-main-cluster/74e12fed-5943-4e44-8077-9518f13623a4-s2"	no
kafka_bootstrap_servers	Bootstrap Servers of the Serverless Managed Kafka	"boot-8a2ogjqa.c2.kafka-serverless.us-east-1.amazonaws.com:9098"	no
nat_gateway_ip	NAT Gateway IP address	"3.211.218.198"	no
route53_nameservers	some description	[ "ns-1148.awsdns-15.org", "ns-1976.awsdns-55.co.uk", "ns-505.awsdns-63.com", "ns-876.awsdns-45.net" ]	no
route53_zone_id	some description	"Z090713836UUDSL1B9HD2"	no
secrets_arn	Environment secrets ARN	"arn:aws:secretsmanager:us-east-1:891377140782:secret:environment-6r5ylb"	no
site_bucket_name	Name of the marketing site bucket	"fakebusiness-website-dev"	no
site_url	API URL	"https://site.dev.fakebusiness.com"	no

STAGING

Name	Description	Value	Sensitive
acm_cert_arn	some description	"arn:aws:acm:us-east-1:730335234660:certificate/483de23f-a3f9-4970-9175-564366cea321"	no
api_url	API URL	"https://api.staging.fakebusiness.com"	no
app_bucket_name	Name of the web app bucket	"fakebusiness-app-staging"	no
app_url	API URL	"https://app.staging.fakebusiness.com"	no
cognito_client_id	ID of the Cognito Client	"7j4ti4pd87o5sbushpo1f3re9h"	no
cognito_user_pool_id	ID of the Cognito User Pool	"us-east-1_h9aygNjAA"	no
database_url	URL to the RDS postgres database	"postgres://fakebusiness:PASSWORD@fakebusiness-staging.c90as0mekgcf.us-east-1.rds.amazonaws.com:5432/fakebusiness"	no
document_bucket_arn	ARN of the document bucket	"arn:aws:s3:::fakebusiness-documents-staging"	no
document_bucket_name	Name of the document bucket	"fakebusiness-documents-staging"	no
domain	Domain for the project environment	"staging.fakebusiness.com"	no
github_oidc_role_arn	Github OIDC Role ARN	"arn:aws:iam::730335234660:role/fakebusiness-github-actions"	no
kafka_arn	ARN of the Serverless Managed Kafka	"arn:aws:kafka:us-east-1:730335234660:cluster/fakebusiness-main-cluster/af976502-e746-46ea-b95c-237dacf29841-s1"	no
kafka_bootstrap_servers	Bootstrap Servers of the Serverless Managed Kafka	"boot-kxkgk87y.c1.kafka-serverless.us-east-1.amazonaws.com:9098"	no
nat_gateway_ip	NAT Gateway IP address	"54.82.22.34"	no
route53_nameservers	some description	[ "ns-1275.awsdns-31.org", "ns-1714.awsdns-22.co.uk", "ns-315.awsdns-39.com", "ns-679.awsdns-20.net" ]	no
route53_zone_id	some description	"Z024952234IC03XF20G4E"	no
secrets_arn	Environment secrets ARN	"arn:aws:secretsmanager:us-east-1:730335234660:secret:environment-O22usk"	no
site_bucket_name	Name of the marketing site bucket	"fakebusiness-website-staging"	no
site_url	API URL	"https://site.staging.fakebusiness.com"	no

PRODUCTION

Name	Description	Value	Sensitive
acm_cert_arn	some description	"arn:aws:acm:us-east-1:767398123958:certificate/35ebd919-d1d6-4e5a-b1ac-a5271e8f7893"	no
api_url	API URL	"https://api.fakebusiness.com"	no
app_bucket_name	Name of the web app bucket	"fakebusiness-app-production"	no
app_url	API URL	"https://app.fakebusiness.com"	no
cognito_client_id	ID of the Cognito Client	"2eadc1pgk4vp5ajamjv81j1jqh"	no
cognito_user_pool_id	ID of the Cognito User Pool	"us-east-1_tOrfZUGZP"	no
database_url	URL to the RDS postgres database	"postgres://fakebusiness:PASSWORD@fakebusiness-production.cpe8q4q6esi0.us-east-1.rds.amazonaws.com:5432/fakebusiness"	no
document_bucket_arn	ARN of the document bucket	"arn:aws:s3:::fakebusiness-documents-production"	no
document_bucket_name	Name of the document bucket	"fakebusiness-documents-production"	no
domain	Domain for the project environment	"fakebusiness.com"	no
github_oidc_role_arn	Github OIDC Role ARN	"arn:aws:iam::767398123958:role/fakebusiness-github-actions"	no
kafka_arn	ARN of the Serverless Managed Kafka	"arn:aws:kafka:us-east-1:767398123958:cluster/fakebusiness-main-cluster/81e9a238-d229-4d44-b609-5933d287c0df-s3"	no
kafka_bootstrap_servers	Bootstrap Servers of the Serverless Managed Kafka	"boot-2zpjjxeb.c3.kafka-serverless.us-east-1.amazonaws.com:9098"	no
nat_gateway_ip	NAT Gateway IP address	"44.209.160.13"	no
route53_nameservers	some description	[ "ns-1312.awsdns-36.org", "ns-1537.awsdns-00.co.uk", "ns-492.awsdns-61.com", "ns-796.awsdns-35.net" ]	no
route53_zone_id	some description	"Z06393165SX7J27I8MT8"	no
secrets_arn	Environment secrets ARN	"arn:aws:secretsmanager:us-east-1:767398123958:secret:environment-c60Wuz"	no
site_bucket_name	Name of the marketing site bucket	"fakebusiness-website-production"	no
site_url	API URL	"https://site.fakebusiness.com"	no