Terraform-managed AWS infrastructure for javaBin, the Norwegian Java User Group.
This is the central infrastructure repo. It provisions shared AWS resources (VPC, ALB, ECS cluster, IAM, monitoring) and provides reusable Terraform modules and GitHub Actions workflows that app repos consume.
Push to main → terraform plan → LLM risk review → terraform apply
- No-change plans skip review and apply automatically
- HIGH risk changes block auto-apply and notify Slack; a board member can override
- Plan artifacts are stored in S3, SHA-verified before apply
See docs/ci-workflow.md for details.
terraform/
platform/ 7 sub-modules (networking, ingress, iam, compute, monitoring, lambdas, identity)
modules/ 12 reusable modules for app repos
lambda-src/ Python handlers for 6 Lambda functions
org/ AWS Organizations (human-applied, no CI)
state/ State backend bootstrap config
scripts/ Bootstrap, code generation, plan review, block notification
docs/ Architecture docs, runbooks, references
.github/workflows/ 13 workflows (platform CI + reusable app workflows)
| Module | Purpose |
|---|---|
networking |
VPC, subnets, NAT gateway, security groups |
ingress |
ALB, ACM certificates, Route53 DNS |
iam |
GitHub OIDC provider, CI roles, permission boundary |
compute |
ECS Fargate cluster, ECR base config |
monitoring |
SNS topics, EventBridge rules, Config, GuardDuty, Security Hub |
lambdas |
Slack alerts, cost reports, compliance, override cleanup, team provisioner |
identity |
IAM Identity Center (SAML + Google), Cognito user pools, 2FA |
- Register your team in javaBin/registry
- Add
app.yamlto your repo root (reference) - Call the reusable workflow from your repo's CI:
jobs: platform: uses: javaBin/platform/.github/workflows/javabin.yml@main
- The workflow detects your repo contents, builds, plans infra, reviews, and deploys
App repos source these via git:: URLs:
| Module | What |
|---|---|
app-stack |
Golden path — reads app.yaml, creates all infra |
ecr-repo |
ECR repository with lifecycle policy |
ecs-service |
ECS Fargate service definition |
service-routing |
ALB target group + listener rule + DNS |
service-role |
ECS task IAM role with composable policies |
service-bucket |
S3 bucket with IAM policy output |
service-database |
DynamoDB table with IAM policy output |
service-secret |
SSM Parameter Store SecureString with IAM policy output |
service-queue |
SQS queue + DLQ with IAM policy output |
service-alarm |
CloudWatch alarms for ECS service |
platform-data |
Read-only data sources for shared infra |
cognito-app-client |
Cognito app client registration |
- Platform modules — sub-module architecture
- Lambda functions — triggers, SSM params, env vars
- CI workflow — plan, review, apply pipeline
- Reusable modules — app module inputs/outputs
- Reusable workflows — javabin.yml orchestration
- app.yaml reference — service configuration schema
- Bootstrap runbook — state backend setup
- Org runbook — AWS Organizations setup
- javaBin/registry — team registration
- javaBin/app-template — starter template for new services
- javaBin/javabin-cli — developer CLI
- javaBin/docs — organization-wide documentation