From 763ecaa708cc793c200e4152fbdf26e491a3a3f0 Mon Sep 17 00:00:00 2001 From: Alexis Renard <16952679+alexis-renard@users.noreply.github.com> Date: Wed, 10 Sep 2025 12:35:43 +0200 Subject: [PATCH 1/6] docs: add some first missing details in the guide.md --- docs/deployment/guide.md | 45 ++++++++++++++++++++-------------------- 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/docs/deployment/guide.md b/docs/deployment/guide.md index 8f14375..13c333f 100644 --- a/docs/deployment/guide.md +++ b/docs/deployment/guide.md @@ -10,9 +10,10 @@ But today, we want to allow self-hosting of the solution. The Terraform and depl ## Prerequisites -- An AWS account -- Terraform +- An AWS account with an S3 bucket available to store the terraform tfstate. +- Terraform installed (either on a CI or locally) - A domain name within Route53 (or a delegation to Route53) + - Records will need to be created, and certificates to be validated through DNS. **_Note: root access to AWS account is not required_** @@ -48,7 +49,7 @@ You can deploy IroCO2 in any region supported by AWS. Exception: the client side 1. Clone the [terraform repository](https://github.com/ippontech/iroco2-terraform-modules) 2. Each directory in the `layers` folder is a terraform project. For each : - 1. Add you backend configuration in the `backend-configs` directory as well as environment configuration in the `env-configs` directory + 1. Add your backend configuration in the `backend-configs` directory as well as environment configuration in the `env-configs` directory 2. Initialize the terraform project with `terraform init -backend-config=../backend-configs/.tfvars -var-file=../env-configs/.tfvars` 3. Provide all the needed variables in a tfvars file in the `tfvars` directory 4. Apply the terraform project with `terraform apply -var-file=../tfvars/.tfvars` @@ -94,25 +95,25 @@ There is no licence cost, the software is free to use. Use this as a quick checklist to estimate costs. “Mandatory” means required for a typical production-like deployment of IroCO2; “Optional” indicates features you can disable if you don’t need them. -| AWS Service | Purpose | Mandatory/Optional | Notes | -| --- | --- | --- | --- | -| Amazon VPC | Network isolation | Mandatory | One VPC with public/private subnets. | -| NAT Gateway | Egress for private subnets | Optional | Use only if private subnets need general internet egress. You can avoid NAT by using VPC endpoints and limiting egress. | -| Elastic Load Balancing (ALB) | Ingress for backend API | Mandatory | If API is public or behind CloudFront. Internal NLB/ALB possible for private-only use. | -| Amazon ECS on Fargate | Run backend containers | Mandatory | Minimum one service for API. | -| Amazon ECR | Container image registry | Optional | You may pull from Docker Hub ippontech/iroco2-backend; using ECR improves reliability and IAM control. | -| Amazon RDS (PostgreSQL) | Application database | Mandatory | Sized per workload; automatic backups recommended. | -| AWS Lambda | Scanner/ETL functions | Optional (per feature) | Mandatory only if you enable the Scanner and/or CUR ingestion functions. | -| Amazon SQS | Asynchronous messaging/decoupling | Optional (per feature) | Used for background processing and decoupling when enabled; costs per requests and polling. | -| Amazon S3 | Frontend hosting, assets, CUR storage | Mandatory | Always required for static frontend hosting; additionally used for CUR if the feature is enabled. | -| Amazon CloudFront | Global CDN for frontend | Mandatory | Serves the UI with TLS and caching. | -| AWS Certificate Manager (ACM) | TLS certificates | Mandatory | Required for CloudFront/ALB HTTPS. | -| Amazon Route 53 | DNS | Mandatory | Public hosted zone or delegated subdomain for your domain. | -| AWS Secrets Manager | Store DB creds and app secrets | Mandatory | Rotation recommended; can also use SSM Parameter Store. | -| AWS Key Management Service (KMS) | Encryption keys | Mandatory | Required to encrypt RDS, S3, Secrets; you may start with AWS-managed keys or use customer-managed keys. | -| Amazon CloudWatch (Logs/Metrics/Alarms) | Observability | Mandatory | Container logs, Lambda logs, dashboards/alarms. | -| AWS Backup | Centralized backups | Optional | RDS snapshots are sufficient for many; AWS Backup adds policy-based mgmt. | -| VPC Endpoints (Gateway/Interface) | Private access to AWS APIs | Mandatory when NAT disabled; otherwise Optional | Required if you disable NAT and keep workloads in private subnets to reach AWS APIs without internet egress. | +| AWS Service | Purpose | Mandatory/Optional | Notes | +|-----------------------------------------|---------------------------------------|-------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------| +| Amazon VPC | Network isolation | Mandatory | One VPC with public/private subnets. | +| NAT Gateway | Egress for private subnets | Optional | Use only if private subnets need general internet egress. You can avoid NAT by using VPC endpoints and limiting egress. | +| Elastic Load Balancing (ALB) | Ingress for backend API | Mandatory | If API is public or behind CloudFront. Internal NLB/ALB possible for private-only use. | +| Amazon ECS on Fargate | Run backend containers | Mandatory | Minimum one service for API. | +| Amazon ECR | Container image registry | Optional | You may pull from Docker Hub ippontech/iroco2-backend; using ECR improves reliability and IAM control. | +| Amazon RDS (PostgreSQL) | Application database | Mandatory | Sized per workload; automatic backups recommended. | +| AWS Lambda | Scanner/ETL functions | Optional (per feature) | Mandatory only if you enable the Scanner and/or CUR ingestion functions. | +| Amazon SQS | Asynchronous messaging/decoupling | Optional (per feature) | Used for background processing and decoupling when enabled; costs per requests and polling. | +| Amazon S3 | Frontend hosting, assets, CUR storage | Mandatory | Always required for static frontend hosting; additionally used for CUR if the feature is enabled. | +| Amazon CloudFront | Global CDN for frontend | Mandatory | Serves the UI with TLS and caching. | +| AWS Certificate Manager (ACM) | TLS certificates | Mandatory | Required for CloudFront/ALB HTTPS. | +| Amazon Route 53 | DNS | Mandatory | Public hosted zone or delegated subdomain for your domain. | +| AWS Secrets Manager | Store DB creds and app secrets | Mandatory | Rotation recommended; can also use SSM Parameter Store. | +| AWS Key Management Service (KMS) | Encryption keys | Mandatory | Required to encrypt RDS, S3, Secrets; you may start with AWS-managed keys or use customer-managed keys. | +| Amazon CloudWatch (Logs/Metrics/Alarms) | Observability | Mandatory | Container logs, Lambda logs, dashboards/alarms. | +| AWS Backup | Centralized backups | Optional | RDS snapshots are sufficient for many; AWS Backup adds policy-based mgmt. | +| VPC Endpoints (Gateway/Interface) | Private access to AWS APIs | Mandatory when NAT disabled; otherwise Optional | Required if you disable NAT and keep workloads in private subnets to reach AWS APIs without internet egress. | Evidence Bookmark: Billable Services List - Link: docs/deployment/guide.md From 3bfdd41a5b5a3cc9c83da2b815e4378fe307966c Mon Sep 17 00:00:00 2001 From: Alexis Renard <16952679+alexis-renard@users.noreply.github.com> Date: Wed, 10 Sep 2025 12:35:43 +0200 Subject: [PATCH 2/6] docs: add some first missing details in the guide.md --- docs/deployment/guide.md | 45 ++++++++++++++++++++-------------------- 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/docs/deployment/guide.md b/docs/deployment/guide.md index 8f14375..13c333f 100644 --- a/docs/deployment/guide.md +++ b/docs/deployment/guide.md @@ -10,9 +10,10 @@ But today, we want to allow self-hosting of the solution. The Terraform and depl ## Prerequisites -- An AWS account -- Terraform +- An AWS account with an S3 bucket available to store the terraform tfstate. +- Terraform installed (either on a CI or locally) - A domain name within Route53 (or a delegation to Route53) + - Records will need to be created, and certificates to be validated through DNS. **_Note: root access to AWS account is not required_** @@ -48,7 +49,7 @@ You can deploy IroCO2 in any region supported by AWS. Exception: the client side 1. Clone the [terraform repository](https://github.com/ippontech/iroco2-terraform-modules) 2. Each directory in the `layers` folder is a terraform project. For each : - 1. Add you backend configuration in the `backend-configs` directory as well as environment configuration in the `env-configs` directory + 1. Add your backend configuration in the `backend-configs` directory as well as environment configuration in the `env-configs` directory 2. Initialize the terraform project with `terraform init -backend-config=../backend-configs/.tfvars -var-file=../env-configs/.tfvars` 3. Provide all the needed variables in a tfvars file in the `tfvars` directory 4. Apply the terraform project with `terraform apply -var-file=../tfvars/.tfvars` @@ -94,25 +95,25 @@ There is no licence cost, the software is free to use. Use this as a quick checklist to estimate costs. “Mandatory” means required for a typical production-like deployment of IroCO2; “Optional” indicates features you can disable if you don’t need them. -| AWS Service | Purpose | Mandatory/Optional | Notes | -| --- | --- | --- | --- | -| Amazon VPC | Network isolation | Mandatory | One VPC with public/private subnets. | -| NAT Gateway | Egress for private subnets | Optional | Use only if private subnets need general internet egress. You can avoid NAT by using VPC endpoints and limiting egress. | -| Elastic Load Balancing (ALB) | Ingress for backend API | Mandatory | If API is public or behind CloudFront. Internal NLB/ALB possible for private-only use. | -| Amazon ECS on Fargate | Run backend containers | Mandatory | Minimum one service for API. | -| Amazon ECR | Container image registry | Optional | You may pull from Docker Hub ippontech/iroco2-backend; using ECR improves reliability and IAM control. | -| Amazon RDS (PostgreSQL) | Application database | Mandatory | Sized per workload; automatic backups recommended. | -| AWS Lambda | Scanner/ETL functions | Optional (per feature) | Mandatory only if you enable the Scanner and/or CUR ingestion functions. | -| Amazon SQS | Asynchronous messaging/decoupling | Optional (per feature) | Used for background processing and decoupling when enabled; costs per requests and polling. | -| Amazon S3 | Frontend hosting, assets, CUR storage | Mandatory | Always required for static frontend hosting; additionally used for CUR if the feature is enabled. | -| Amazon CloudFront | Global CDN for frontend | Mandatory | Serves the UI with TLS and caching. | -| AWS Certificate Manager (ACM) | TLS certificates | Mandatory | Required for CloudFront/ALB HTTPS. | -| Amazon Route 53 | DNS | Mandatory | Public hosted zone or delegated subdomain for your domain. | -| AWS Secrets Manager | Store DB creds and app secrets | Mandatory | Rotation recommended; can also use SSM Parameter Store. | -| AWS Key Management Service (KMS) | Encryption keys | Mandatory | Required to encrypt RDS, S3, Secrets; you may start with AWS-managed keys or use customer-managed keys. | -| Amazon CloudWatch (Logs/Metrics/Alarms) | Observability | Mandatory | Container logs, Lambda logs, dashboards/alarms. | -| AWS Backup | Centralized backups | Optional | RDS snapshots are sufficient for many; AWS Backup adds policy-based mgmt. | -| VPC Endpoints (Gateway/Interface) | Private access to AWS APIs | Mandatory when NAT disabled; otherwise Optional | Required if you disable NAT and keep workloads in private subnets to reach AWS APIs without internet egress. | +| AWS Service | Purpose | Mandatory/Optional | Notes | +|-----------------------------------------|---------------------------------------|-------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------| +| Amazon VPC | Network isolation | Mandatory | One VPC with public/private subnets. | +| NAT Gateway | Egress for private subnets | Optional | Use only if private subnets need general internet egress. You can avoid NAT by using VPC endpoints and limiting egress. | +| Elastic Load Balancing (ALB) | Ingress for backend API | Mandatory | If API is public or behind CloudFront. Internal NLB/ALB possible for private-only use. | +| Amazon ECS on Fargate | Run backend containers | Mandatory | Minimum one service for API. | +| Amazon ECR | Container image registry | Optional | You may pull from Docker Hub ippontech/iroco2-backend; using ECR improves reliability and IAM control. | +| Amazon RDS (PostgreSQL) | Application database | Mandatory | Sized per workload; automatic backups recommended. | +| AWS Lambda | Scanner/ETL functions | Optional (per feature) | Mandatory only if you enable the Scanner and/or CUR ingestion functions. | +| Amazon SQS | Asynchronous messaging/decoupling | Optional (per feature) | Used for background processing and decoupling when enabled; costs per requests and polling. | +| Amazon S3 | Frontend hosting, assets, CUR storage | Mandatory | Always required for static frontend hosting; additionally used for CUR if the feature is enabled. | +| Amazon CloudFront | Global CDN for frontend | Mandatory | Serves the UI with TLS and caching. | +| AWS Certificate Manager (ACM) | TLS certificates | Mandatory | Required for CloudFront/ALB HTTPS. | +| Amazon Route 53 | DNS | Mandatory | Public hosted zone or delegated subdomain for your domain. | +| AWS Secrets Manager | Store DB creds and app secrets | Mandatory | Rotation recommended; can also use SSM Parameter Store. | +| AWS Key Management Service (KMS) | Encryption keys | Mandatory | Required to encrypt RDS, S3, Secrets; you may start with AWS-managed keys or use customer-managed keys. | +| Amazon CloudWatch (Logs/Metrics/Alarms) | Observability | Mandatory | Container logs, Lambda logs, dashboards/alarms. | +| AWS Backup | Centralized backups | Optional | RDS snapshots are sufficient for many; AWS Backup adds policy-based mgmt. | +| VPC Endpoints (Gateway/Interface) | Private access to AWS APIs | Mandatory when NAT disabled; otherwise Optional | Required if you disable NAT and keep workloads in private subnets to reach AWS APIs without internet egress. | Evidence Bookmark: Billable Services List - Link: docs/deployment/guide.md From f205ba856b04ba031fd9e522ca0ba16f2f4f7816 Mon Sep 17 00:00:00 2001 From: Sebastien Date: Mon, 20 Oct 2025 14:52:36 +0200 Subject: [PATCH 3/6] chore: update deployment guide --- docs/deployment/guide.md | 123 ++++++++++++++++++++++++++++++++++----- 1 file changed, 107 insertions(+), 16 deletions(-) diff --git a/docs/deployment/guide.md b/docs/deployment/guide.md index 13c333f..1d2a2e3 100644 --- a/docs/deployment/guide.md +++ b/docs/deployment/guide.md @@ -4,16 +4,19 @@ This is the primary, streamlined path to deploy the solution. It contains only w ## Context -IroCO2 has been designed to be a SaaS at first and deployed in Ippon AWS account without possibility to self-host it. The Terraform currently present in the repositories is the one we used to maintain the SaaS deployment. +IroCO2 is currently designed to be deployed on AWS with Terraform. +The typical deployment is described in the following document. -But today, we want to allow self-hosting of the solution. The Terraform and deployment approach currently present is not ideal for this purpose. But we plan to improve it in out next steps. If you want to self-host the solution, you can use the Terraform currently present in the repositories by reading this documentation. +In the future, we want to allow additionnal platforms and self-hosting. ## Prerequisites - An AWS account with an S3 bucket available to store the terraform tfstate. +- (optionnal) For *client-side-scanner* module, a symetrical KMS key, available within you AWS account - Terraform installed (either on a CI or locally) - A domain name within Route53 (or a delegation to Route53) - Records will need to be created, and certificates to be validated through DNS. +- Go development tools on your local machine **_Note: root access to AWS account is not required_** @@ -26,14 +29,16 @@ But today, we want to allow self-hosting of the solution. The Terraform and depl - Containers/runtime (selecting image tags, health checks): basic ## Estimated deployment time - + Summary (elapsed): -- Quick: 1.5–3h -- Typical first-time: 4-6h +- Configuration: 30m +- Deployment infra: 1h +- Deployment code: 1h +- Validation tests: 30m Steps (human + AWS wait): -1) AWS prereqs/account: 15–60m -2) Terraform layers (3–5): 1.5–3h total +1) AWS prereqs/account: 30m +2) Terraform layers (3–5): 30m 3) Backend (`iroco2-backend`): 30–60m 4) Frontend (S3/CloudFront): 25–60m (incl. propagation) 5) Lambdas: 25–45m @@ -45,24 +50,102 @@ Notes: Faster with org-ready IAM/Route53 and reusable `tfvars`. Slower with miss You can deploy IroCO2 in any region supported by AWS. Exception: the client side scanner lambda need to be deployed in `eu-west-3` and the CUR Data Export in `us-east-1`. +One of recommended region for deploying is `eu-west-3`. Here's [why](https://app.electricitymaps.com/zone/FR/live/fifteen_minutes/2025-10-14T13:00:00.000Z). + ## Deployment +### Pre-requisites +1. Go language must me installed on your local machine. + → ie. `apt install golang` +2. Create S3 bucket + - AWS CLI method +`aws s3 mb s3://` + - AWS GUI method + ***{TODO}*** + +3. Create a Route53 entry + Create a type A record (simple routing) +4. (optionnal) Create KMS key for *client-side-scanner* + 1. Create key 1 + 2. Create key step 2 + 3. Create key step 3 + 4. Add administrator for your key + 5. Add user for your key + 6. Modify key strategies : + +``` +{ + "Id": "key-consolepolicy-3", + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::root" + }, + "Action": "kms:*", + "Resource": "*" + }, + { + "Sid": "Allow access for Key Administrators", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::role/aws-reserved/sso.amazonaws.com//" + }, + "Action": "kms:*", + "Resource": "*" + }, + { + "Sid": "Authorization loggroup", + "Effect": "Allow", + "Principal": { + "Service": "logs.amazonaws.com" + }, + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*" + ], + "Resource": "*", + "Condition": { + "ArnEquals": { + "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:::log-group:" + } + } + } + ] +} + +``` + + +### Deployment steps + 1. Clone the [terraform repository](https://github.com/ippontech/iroco2-terraform-modules) -2. Each directory in the `layers` folder is a terraform project. For each : - 1. Add your backend configuration in the `backend-configs` directory as well as environment configuration in the `env-configs` directory - 2. Initialize the terraform project with `terraform init -backend-config=../backend-configs/.tfvars -var-file=../env-configs/.tfvars` - 3. Provide all the needed variables in a tfvars file in the `tfvars` directory - 4. Apply the terraform project with `terraform apply -var-file=../tfvars/.tfvars` -3. Clone the [frontend repository](https://github.com/ippontech/iroco2-frontend) +2. Add your backend configuration in the `backend-configs` directory +3. Add your environment variables in the `env-configs` directory +4. Prepare authorizer lambda bootstrap: + 1. Move to authorizer src directory + `cd ./layers/iroco2-authorizer/src` + 3. Execute build script + `../scripts/build.sh` +5. Each directory in the `layers` folder is a terraform project. For each one, in the following order **network**, **data**, **services**, **lambdas** (in no particular order), **api-gateway**: + 1. Initialize the terraform project with your variables files: +` terraform init --backend-config=../../backend-configs/.tfvars --var-file=../../env-configs/.tfvars` + 1. Provide all the needed variables in a tfvars file in the `tfvars` directory. You can copy the *tfvars.example* files. + 2. Apply the terraform project with `terraform [plan,apply] -var-file=../../env-configs/.tfvars -var-file=./tfvars/.tfvars` +6. Clone the [frontend repository](https://github.com/ippontech/iroco2-frontend) 1. Retrieve the Cloudfront distribution ID and S3 bucket name from the terraform output of the previous repository (`layer/service`) 2. Follow the README of the frontend repository to deploy the frontend to your cloudfront distribution -4. Clone the [backend repository](https://github.com/ippontech/iroco2-backend) +7. Clone the [backend repository](https://github.com/ippontech/iroco2-backend) 1. Add your backend configuration in the `backend-configs` directory as well as environment configuration in the `tfvars` directory (you can choose the backend image version [here](https://github.com/orgs/ippontech/packages?repo_name=iroco2-backend)) 2. Initialize the terraform project with `terraform init -backend-config=../backend-configs/.tfvars` 3. Provide all the needed variables in a tfvars file in the `tfvars` directory 1. You will get the latest version of the docker image of the backend API. You can find them on this page: https://hub.docker.com/r/ippontech/iroco2-backend 4. Apply the terraform project with `terraform apply -var-file=../tfvars/.tfvars` -5. Clone the lambda repository [iroco2-lambda](https://github.com/ippontech/iroco2-lambdas) +8. Clone the lambda repository [iroco2-lambda](https://github.com/ippontech/iroco2-lambdas) ## Backup & Restore @@ -118,4 +201,12 @@ Use this as a quick checklist to estimate costs. “Mandatory” means required Evidence Bookmark: Billable Services List - Link: docs/deployment/guide.md - Section: Costs > Billable AWS services (Mandatory vs Optional) -- Paragraph: Table above \ No newline at end of file +- Paragraph: Table above + + +## Deletion /!\ WIP + +1.Disable deletion protection on RDS DB +2. In reverse order: + `terraform destroy -var-file=../../env-configs/.tfvars -var-file=./tfvars/.tfvars` +3. Network has dependencies failures From ac5f929be14db9849b1e5da51dedd6201c713c3d Mon Sep 17 00:00:00 2001 From: Sebastien Date: Wed, 12 Nov 2025 15:20:16 +0100 Subject: [PATCH 4/6] docs: update with additionnal info --- docs/deployment/guide.md | 72 ++++++++-------------------------------- 1 file changed, 13 insertions(+), 59 deletions(-) diff --git a/docs/deployment/guide.md b/docs/deployment/guide.md index 1d2a2e3..9dddd61 100644 --- a/docs/deployment/guide.md +++ b/docs/deployment/guide.md @@ -4,6 +4,8 @@ This is the primary, streamlined path to deploy the solution. It contains only w ## Context +IroCO2 has been designed to be a SaaS at first and deployed in Ippon AWS account without possibility to self-host it. The Terraform currently present in the repositories is the one we used to maintain the SaaS deployment. + IroCO2 is currently designed to be deployed on AWS with Terraform. The typical deployment is described in the following document. @@ -32,7 +34,7 @@ In the future, we want to allow additionnal platforms and self-hosting. Summary (elapsed): - Configuration: 30m -- Deployment infra: 1h +- Deployment infra: 1h (DNS propagation/validation may take longer in some cases.) - Deployment code: 1h - Validation tests: 30m @@ -64,61 +66,9 @@ One of recommended region for deploying is `eu-west-3`. Here's [why](https://app ***{TODO}*** 3. Create a Route53 entry - Create a type A record (simple routing) -4. (optionnal) Create KMS key for *client-side-scanner* - 1. Create key 1 - 2. Create key step 2 - 3. Create key step 3 - 4. Add administrator for your key - 5. Add user for your key - 6. Modify key strategies : - -``` -{ - "Id": "key-consolepolicy-3", - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "Enable IAM User Permissions", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam:::root" - }, - "Action": "kms:*", - "Resource": "*" - }, - { - "Sid": "Allow access for Key Administrators", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam:::role/aws-reserved/sso.amazonaws.com//" - }, - "Action": "kms:*", - "Resource": "*" - }, - { - "Sid": "Authorization loggroup", - "Effect": "Allow", - "Principal": { - "Service": "logs.amazonaws.com" - }, - "Action": [ - "kms:Encrypt", - "kms:Decrypt", - "kms:ReEncrypt*", - "kms:GenerateDataKey*" - ], - "Resource": "*", - "Condition": { - "ArnEquals": { - "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:::log-group:" - } - } - } - ] -} - -``` + - Create a type A record (simple routing) +4. (optionnal) Create KMS key for *client-side-scanner*. + - See [documentation](https://ippontech.github.io/iroco2/#/docs/guide_scanner) ### Deployment steps @@ -204,9 +154,13 @@ Evidence Bookmark: Billable Services List - Paragraph: Table above -## Deletion /!\ WIP +## Deletion + + +/!\ WIP -1.Disable deletion protection on RDS DB +1. Disable deletion protection on RDS DB 2. In reverse order: - `terraform destroy -var-file=../../env-configs/.tfvars -var-file=./tfvars/.tfvars` + - `terraform destroy -var-file=../../env-configs/.tfvars -var-file=./tfvars/.tfvars` 3. Network has dependencies failures +4. Delete remaining resources, s3 buckets (alb logs, cloudfront sources, etc...) From b5a4e8f12419dfd779cb797342f736dfca6722a6 Mon Sep 17 00:00:00 2001 From: sroulon-ippon Date: Tue, 9 Dec 2025 14:59:30 +0100 Subject: [PATCH 5/6] chore: update guide.md Add Architecture diagram --- docs/deployment/guide.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/deployment/guide.md b/docs/deployment/guide.md index 9dddd61..9fc4275 100644 --- a/docs/deployment/guide.md +++ b/docs/deployment/guide.md @@ -164,3 +164,14 @@ Evidence Bookmark: Billable Services List - `terraform destroy -var-file=../../env-configs/.tfvars -var-file=./tfvars/.tfvars` 3. Network has dependencies failures 4. Delete remaining resources, s3 buckets (alb logs, cloudfront sources, etc...) + + +## Architecture diagram + +Please find below the architecture diagram of the solution. +## Deletion + + +/!\ WIP + +![Architecture diagram](./DAT-Archi-Oct-2025.png) From b30a5fd865979b5d68f4bfd6ee97ec41256c46b7 Mon Sep 17 00:00:00 2001 From: Sebastien Date: Tue, 9 Dec 2025 15:31:10 +0100 Subject: [PATCH 6/6] fix: resolve order --- docs/deployment/guide.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docs/deployment/guide.md b/docs/deployment/guide.md index 9fc4275..c21c26d 100644 --- a/docs/deployment/guide.md +++ b/docs/deployment/guide.md @@ -169,9 +169,5 @@ Evidence Bookmark: Billable Services List ## Architecture diagram Please find below the architecture diagram of the solution. -## Deletion - - -/!\ WIP ![Architecture diagram](./DAT-Archi-Oct-2025.png)