Use this file to discover all available pages before exploring further.
The infrastructure template (devops/infrastructure/template.yml) is the main application stack for the GSM platform. It provisions every layer of the application: a CloudFront distribution backed by an S3 bucket for the React SPA frontend, a private EC2 instance running ECS with bridge networking for the four backend microservices, an ECR repository for container images, an Elastic IP for stable public addressing, AWS Budgets with SNS alerting for cost visibility, and all supporting IAM roles, security groups, and log groups. The stack is designed to run on top of an existing VPC and subnet — no network infrastructure is created here.
Secret value injected as the X-CloudFront-Origin custom origin header on requests from CloudFront to the EC2 backend. The ECS gateway service can verify this header to reject direct traffic that bypasses CloudFront.
Desired number of running tasks for each of the four ECS services. Set to 0 on initial deploy; the Scheduler stack manages scaling during business hours.
SSM Parameter Store path for the database master connection URL. Injected into the Auth, Application, and Operations task definitions as the DB_MASTER_URL secret.
Public IP address of an existing Elastic IP to use as the CloudFront custom origin for the backend. Leave empty to use the newly allocated EIP attached to the EC2 instance (Ec2ElasticIp). When set, the NoExistEIP condition evaluates to false and ECSInstance.PublicDnsName is not used as the backend origin.
Hosts the compiled React SPA. Versioning is enabled. All public access is blocked — CloudFront is the only authorized reader via an Origin Access Control (OAC). Server-side encryption uses AES-256.
Grants s3:GetObject, s3:ListBucket, and s3:GetBucketLocation to cloudfront.amazonaws.com conditioned on the specific CloudFront distribution ARN. All non-HTTPS (aws:SecureTransport: false) requests are explicitly denied for all principals.
A CloudFront viewer-request function that rewrites extensionless URL paths (e.g. /dashboard, /login) to /index.html so the React router handles client-side navigation without returning 403/404 from S3.
function handler(event) { var request = event.request; var lastSegment = request.uri.split('/').pop(); if (!lastSegment.includes('.')) { request.uri = '/index.html'; } return request;}
Single private ECR repository that stores all four microservice images using tag conventions: gateway-latest, auth-latest, application-latest, gsmoperations-latest.
Shared CloudWatch log group for all four microservice containers. Each container writes to a distinct stream prefix (gmsgateway, gmsauth, gsmapplication, gsmoperations).
The ECS task execution role. Trusted by ecs-tasks.amazonaws.com. Also receives the ECSRoleSSMPolicy managed policy for SSM Parameter Store and KMS access.
Grants ssm:GetParameter and ssm:GetParameters on /{Environment}/* parameters, and kms:Decrypt on account KMS keys so tasks can resolve secrets at startup.
ECS Task Definitions
All four task definitions share the following configuration:
Trusted by ec2.amazonaws.com. Includes an inline policy granting ssm:GetParameter* and kms:Decrypt scoped to /{Environment}/* parameters so the ECS agent can pull secrets during task startup.
Provides a stable public IP address for the EC2 ECS host. CloudFront uses this IP as the backend custom origin endpoint. The Scheduler stack manages disassociation (before shutdown) and reassociation (after startup) to avoid charges for idle Elastic IPs.