AWS Staging Terraform Implementation Blueprint

Purpose

This document turns the staging plan into an implementation sequence.

It intentionally avoids requiring you to pre-design low-level VPC details by hand. Terraform should define the network shape, subnets, routing, security groups, and supporting infrastructure for the staging project.

Staging First Principle

Focus on staging only.

Staging is where we validate:

• the ECS model
• the deployment pipeline
• the service network shape
• the secrets and config model
• the database and Valkey connectivity

Production already exists and will be handled as a separate coexistence concern.

Implementation Inputs

You do not need to predefine every VPC detail before starting.

The main inputs are:

• staging account ID: 802732539686
• project scope: this application only
• runtime services to deploy
• existing account access via IAM Identity Center
• the fact that staging is shared, so the project needs its own isolated VPC and state

Terraform can derive the detailed VPC and subnet layout from those inputs. For this project, a /24 VPC is acceptable for staging if the subnet plan remains modest and the service count stays small.

Recommended Build Order

1. Terraform Backend

Create the S3-backed Terraform state for staging first.

2. Project Network

Let Terraform create:

• the staging project VPC
• public subnets for ALB
• private subnets for ECS
• private subnets or restricted subnets for database services
• route tables and gateways
• security groups

3. Core Platform Services

Create:

• ECR repositories
• CloudWatch log groups
• KMS or secret resources if required by the organisation standard
• ECS cluster
• ALB and target groups
• the staging database EC2 host

4. Data Plane

Create the staging data plane:

• single EC2 host that provides PostgreSQL, TimescaleDB, PostGIS, and Valkey
• environment-specific secrets and parameters

5. Application Services

Deploy the application runtime:

• API
• frontend
• admin panel
• workers
• Anisette as a private ECS service with EFS-backed /data when enabled

6. Validation

Confirm:

• tasks start cleanly
• health checks pass
• logs are visible
• database connectivity works
• Valkey connectivity works
• rollback works

VPC Detail Guidance

Do not block on exact subnet math before starting.

Terraform can create the VPC and subnet layout as part of the first infrastructure pass, as long as the project stays isolated within its own VPC in staging.

The only hard constraint is that the layout must be:

• isolated from other projects in the staging account
• suitable for ALB, ECS, database, and Valkey
• large enough for the number of services you intend to run

What to Keep Out of Scope

Do not include production coexistence details in this document.

Do not include database peering or HAProxy access planning here.

Do not attempt to model shared platform resources in this staging blueprint.

Related Documents

• 05 AWS Staging Infrastructure Plan
• 10 AWS Terraform Backend and Bootstrap Plan
• 08 AWS Infrastructure and IaC Decision