devops-project/project-documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

WIP.4 Week 1

Browse Source
This commit is contained in:
Florian 2025-10-27 09:43:27 +01:00
parent e0ac417365
commit 32f100a8e2
1 changed files with 55 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
week1.md
View File

@ -25,7 +25,8 @@ This project will migrate the Spring PetClinic Microservices demo from its local
- Run full PetClinic microservices on AWS with CI/CD.
- Observability: logs, metrics, traces for 100% of services.
- Cost target: keep monthly infra cost under a defined limit (set by Project Sponsor).
- Cost target: keep monthly infra cost under a defined limit
.
- Security: secrets encrypted, least-privilege IAM, HTTPS for all endpoints.
### Deadlines
@ -162,42 +163,28 @@ This project will migrate the Spring PetClinic Microservices demo from its local
### Jobs and environments
- Each microservices has his own Jenkins pipeline
- Each microservices has his own Jenkins pipeline per environment.
| Environment | Purpose | Infrastructure | Notes |
|----|----|----|----|
| **Development (Local)** | Local testing, feature validation | Docker Compose | Developer workstations |
| **Staging (AWS)** | Integration and pre-prod testing | ECS/EKS (staging cluster), RDS (test DB) | Mirrors production |
| **Production (AWS)** | Live system | ECS/EKS (prod cluster), RDS (prod DB) | Monitored|
| Environment | Purpose | Infrastructure |
|----|----|----|
| **Development (Local)** | Local testing, feature validation | Docker Compose |
| **Staging (AWS)** | Integration and pre-prod testing | ECS/EKS (staging cluster), RDS (test DB) |
| **Production (AWS)** | Live system | ECS/EKS (prod cluster), RDS (prod DB) |
## Storage
### 1. Database (RDBMS)
| **Type** | **Service** | **Use / Description** | **IOPS / Performance** | **Volume / Size** | **Backup Strategy** |
|-----|-----|-----|-----|-----|-----|
| **1. Database (RDBMS)** | Amazon RDS (MySQL) | Structured data for each microservice schema | 3,0006,000 (gp3 default) or provisioned as needed | 20 GB per schema | Automated daily snapshots (14-day retention) |
| **2. Block Storage** | Amazon EBS (gp3) | EC2-hosted Jenkins, logs, or stateful containers | 3,000 baseline | / | Not necessary |
| **3. Object Storage** | Amazon S3 | Logs, backups, images | Standard or Infrequent Access tiers | / | Cross-region replication or versioning enabled |
- Service: Amazon RDS (MySQL)
- IOPS: 3,0006,000 (gp3 default) or provisioned as needed
- Volume: 20 GB per microservice schema
- Backup: Automated daily snapshots (14 day retention)
### 2. Block Storage
- Service: Amazon EBS (gp3)
- Use: EC2-hosted Jenkins, logs, or stateful containers
- IOPS: 3,000 baseline
- Backup: Not necessary
### 3. Object Storage
- Service: Amazon S3
- Use: Logs, backups, images
- Performance: Standard or Infrequent Access tiers
- Backup: Cross-region replication or versioning enabled
## Data
### 1. Location
- Eu-central-1 region
- Place database (RDS) and services in the same region and AZs for low latency.
- Place database (RDS) and services in the same region and AZs.
### 2. Replication / Distribution
| Data Type | Replication / Distribution Strategy |
@ -243,7 +230,7 @@ This project will migrate the Spring PetClinic Microservices demo from its local
| Environment | Nodes | Notes |
|----|----|----|
| **Staging** | 3 ECS container instances (EC2) | Handles staging microservices, mirrors production setup |
| **Staging** | 3 ECS container instances (EC2) | Handles staging microservices, mirrors production setup |
| **Production / Live** | 3 ECS container instances (EC2) | Fixed-size cluster, no autoscaling to reduce costs |
| **Scalability** | N/A for autoscaling | Fixed node count to reduce cost but still allow horizontal scaling via ECS task count or manual node addition. |
@ -272,4 +259,43 @@ This project will migrate the Spring PetClinic Microservices demo from its local
#### Service Definitions:
- Each microservice has an ECS service with a desired task count.
- Service linked to ALB .
- Service linked to ALB .
## Security
| **Area** | **Focus** | **Implementation / Notes** |
|----|----|----|
| **1. Authentication, Authorization, Auditing (AAA)** | - User & service identity <br> - Access control <br> - Activity tracking | - Spring Security with JWT or OAuth2 <br> - IAM roles restrict AWS access per service <br> - Auditing: Not relevant since we don't handle sensitive data <br> - CloudWatch for app/service logs |
| **2. Code Security** | - Application code <br> - Secrets <br> - Dependencies | - Static analysis via SonarQube or CodeQL <br> - No hardcoded credentials <br> - Secrets in AWS Secrets Manager or Parameter Store <br> - Dependency scanning (OWASP, GitHub Dependabot) |
| **3. Traffic Security** | - Encryption <br> - Routing <br> - Network boundaries | - HTTPS enforced via ALB <br> - Internal TLS optional for microservices <br> - Security groups restrict inbound/outbound ports <br> - Private subnets for internal services and databases |
| **4. Instance / Container Security** | - Node hardening <br> - Container runtime <br> - Secrets handling | - Use minimal and updated AMIs <br> - Regular patching, no direct SSH (bastion-only) <br> - Containers run as non-root users <br> - Vulnerability scanning before deploy <br> - Secrets passed via IAM roles or ECS environment vars |
## Observability
| **Aspect** | **Tools** | **Notes** |
|----|----|----|
| **Metrics** | **Prometheus** | Collect CPU, memory, and ECS task metrics from node exporters |
| | | If microservices expose `/prometheus`, integrate directly. |
| | **Grafana** | Dashboards for system and service health |
| **Logs** | **AWS CloudWatch Logs** | ECS task logs streamed to CloudWatch via Log Drivers. |
| | |Structured JSON logging for easy filtering and search.|
| | |Optional integration into Grafana Loki later. |
| **Traces** | **AWS X-Ray** | Trace API calls across microservices. |
| **Alerts** | **CloudWatch Alarms** | CloudWatch for infrastructure-level alerts (CPU, memory, ECS health)
| | **Grafana Alerts** | Grafana alert rules for application metrics from Prometheus. |
| | | Alerts via email or Slack webhook.|
## Continuity & Recovery
| **Aspect** | **Approach / Tooling** | **Notes** |
|----|----|----|
| **Redundancy** | Multi-AZ deployment | RDS and ECS nodes deployed across multiple Availability Zones for high availability.|
| | | Load balancer automatically routes traffic to healthy tasks. |
| **Failover** | AWS-managed failover | RDS Multi-AZ provides automatic database failover.
| | |ECS services automatically restart failed tasks on healthy nodes.|
| | | Manual intervention only needed for regional failures. |
| **Backup** | AWS Backup / RDS Snapshots| Automated RDS daily backups with retention policy.
| | S3 Versioning | S3 bucket versioning for uploaded images and configs.|
| **Business Continuity Plan** | Operate from secondary region if needed | Documented procedure to restore environment in another AWS region using IaC templates (Terraform). |
| | | Prioritize restoring RDS, Config Server, and API Gateway. |
| **Disaster Recovery Plan** | Cold standby in alternate region | No live duplication to save cost.|
| | | Periodic replication of backups and images to secondary region. |