Pulumi (TypeScript) stacks that provision shared AWS infrastructure and security-focused applications: core-aws (VPC, ECS cluster, Traefik, NLB), openbao-aws (OpenBao secrets manager), authentik-aws (identity provider), and emergency-bastion (emergency RDS access).
- core-aws – Shared VPC, ECS cluster, Traefik (ACME + Route53), NLB, EFS. Application stacks reference it via
StackReferenceand deploy into the same cluster; Traefik discovers services via ECS and routes by hostname. - openbao-aws – OpenBao on ECS Fargate with Aurora Serverless v2 (PostgreSQL) and AWS KMS auto-unseal. Runs behind Traefik; TLS via ACME/Route53.
- authentik-aws – Authentik server and workers on ECS, Aurora PostgreSQL. Routes via Traefik.
- emergency-bastion – Bastion EC2 host for emergency access to the OpenBao RDS instance (SSH + psql). Optional.
- Pulumi CLI
- Node.js 20+
- AWS CLI configured
- Route53 hosted zone for your domain
- Backend:
s3://pulumi-state-2e089842(StackReference org: organization)
- core-aws – VPC, ECS, Traefik, NLB
- openbao-aws – OpenBao
- authentik-aws – Authentik
- emergency-bastion (optional)
See docs/INITIALIZATION.md for step-by-step config and deployment.
| Stack | Description |
|---|---|
| core-aws/README.md | VPC, ECS cluster, Traefik (ACME/Route53), NLB |
| openbao-aws/README.md | OpenBao on ECS with Aurora, KMS auto-unseal |
| emergency-bastion/README.md | Emergency bastion for RDS access |
cd <stack> # core-aws, openbao-aws, authentik-aws, emergency-bastion
pulumi install
pulumi stack init prod # or dev
# Set required config, see stack README
pulumi preview # Confirm expected output
pulumi up