Osirus AI Serverless (AWS CloudFormation)

Public CloudFormation templates for deploying the Osirus AI stack in your own AWS account.

Architecture Overview

This deployment provisions a multi-tier AWS architecture:

1. Users access the platform through Amazon CloudFront (optional) and an internet-facing Application Load Balancer (ALB).
2. The ALB routes traffic to Amazon ECS services running on AWS Fargate in private subnets.
3. Stateful services run in private subnets across Availability Zones:

• Amazon RDS for primary relational data
• Amazon ElastiCache for Redis for caching/session/queue patterns
• Amazon OpenSearch Service for search/index workloads

4. Static and generated assets are stored in Amazon S3.
5. Runtime secrets and credentials are stored in AWS Secrets Manager.
6. IAM roles/policies enforce service permissions, and Amazon CloudWatch Logs captures logs.

AWS Services Used

• AWS CloudFormation (root and nested stacks)
• Amazon VPC (VPC, subnets, route tables, Internet Gateway, NAT Gateway, security groups)
• Elastic Load Balancing v2 (ALB listeners, listener rules, target groups)
• Amazon ECS on AWS Fargate (cluster, services, task definitions)
• Amazon RDS (DB instances, DB subnet group)
• Amazon ElastiCache for Redis (replication group, subnet group)
• Amazon OpenSearch Service (domain)
• Amazon S3 (bucket, bucket policy)
• AWS Secrets Manager (secret resources)
• AWS IAM (roles, managed policies, user/access key resources)
• AWS Lambda (custom resource automation)
• Amazon CloudWatch Logs (log groups)
• Amazon CloudFront (distribution and policies, optional)

Prerequisites

• AWS CLI v2 configured
• Permissions to create IAM, CloudFormation, VPC networking, ECS/Fargate, ALB, RDS, ElastiCache, OpenSearch, S3, and Secrets Manager resources
• Container images for app/api/worker/migrations

Quickstart

1. Configure AWS profile (optional if default credentials are already set).

export AWS_PROFILE="your-aws-profile"
export AWS_DEFAULT_PROFILE="$AWS_PROFILE"

2. Create a local parameter file from an example.

cp ./parameters.example.json ./parameters.local.json

3. Edit parameters.local.json and replace all placeholders (CHANGE_ME, image names, ARN placeholders, etc.).

4. Launch the stack.

chmod +x ./cft.sh
./cft.sh

Optional Environment Overrides

• CFT_STACK_NAME: custom stack name
• CFT_PARAMETERS_FILE: path to parameter file (default ./parameters.local.json)
• CFT_TEMPLATE_URL: explicit template URL
• CFT_TEMPLATE_BUCKET: bucket used to build default template URL

Example:

CFT_STACK_NAME=osirus-ai-prod \
CFT_PARAMETERS_FILE=./parameters.local.json \
CFT_TEMPLATE_BUCKET=my-cfn-templates \
./cft.sh

Security Notes

• Do not commit real credentials or production parameter files.
• Keep local files such as parameters.local.json untracked.
• Rotate credentials immediately if they were ever exposed in git history.

Architecture Diagram (Text)

Internet Users
      |
      v
[CloudFront (optional)]
      |
      v
[Application Load Balancer]
      |
      v
[ECS Services on Fargate (private subnets)]
   |          |            |
   |          |            +--> [OpenSearch Service]
   |          +---------------> [ElastiCache Redis]
   +--------------------------> [Amazon RDS]
      |
      +-----------------------> [Amazon S3 Assets Bucket]

Supporting services:
- [Secrets Manager] for runtime/application secrets
- [IAM] roles/policies for service permissions
- [CloudWatch Logs] for task/application logs
- [Lambda custom resources] for provisioning helpers
- [VPC] with public/private subnets, IGW, NAT, route tables, security groups