Infra
Architecture Overview
How the central infrastructure repository is structured and how it relates to per-project infrastructure.
Production
Central vs Per-Project Infrastructure
Ontopix follows a hybrid infrastructure model:
- This repository (
ontopix/infra) manages platform-wide foundational resources - Application repositories manage their own resources in
.infra/directories
ontopix/infra (this repo) Application repos
┌─────────────────────────┐ ┌──────────────────┐
│ DNS zones & records │ │ .infra/ │
│ IAM roles & OIDC │◄───────│ database.tf │
│ ECR access roles │ uses │ cache.tf │
│ CodeArtifact registry │ roles │ storage.tf │
│ Cost alerts │ └──────────────────┘
└─────────────────────────┘
This repository is the only exception to the .infra/ convention — infrastructure lives at the repository root because this repository IS infrastructure.
Module Map
All Terraform modules are under global/ and composed in global/main.tf:
global/
├── main.tf # Module composition and provider config
├── backend.tf # S3 + DynamoDB remote state
├── variables.tf # Global variables
├── outputs.tf # Exported values
├── route53/ # DNS management
├── iam/ # Roles, policies, OIDC provider
├── ecr/ # ECR OIDC access roles
├── codeartifact/ # Private package registry
├── cost-alerts/ # Budget monitoring
└── amplify/ # Amplify DNS (deprecated)
Provider Configuration
- Terraform:
>= 1.0 - AWS Provider:
~> 5.0(see ADR-002 for v6 migration plans) - Default tags: All resources are tagged with
Project=ontopix-infra,ManagedBy=terraform,Repository=ontopix/infra
Remote State
Terraform state is stored remotely with locking:
| Component | Resource | Region |
|---|---|---|
| State storage | S3 bucket ontopix-tfstate | eu-west-1 |
| State locking | DynamoDB table ontopix-tflocks | eu-west-1 |
| State key | global/terraform.tfstate | — |