Production Site: https://nickpage.tech
This repository demonstrates enterprise-grade cloud architecture patterns using Terragrunt + Terraform on AWS. Features include an Envoy service mesh with dynamic xDS routing, GitOps automation with Atlantis, and production-ready security with Cloudflare integration. This was cloned from a live repositry that remains private, and is actually quite out of date with all the improvements that are there now. While I can't share that repository because it the underlying infra for a few projects in the works, I can definitely outline some of them conversationally.
Service Mesh Architecture
- Dynamic Routing: Zero-downtime route changes via xDS protocol without container rebuilds
- Custom xDS Control Plane: Go-based service providing GitOps-managed configuration
- Sidecar Pattern: Envoy ingress/egress proxies for traffic management and security
- Service Discovery: DNS-based backend resolution in ECS
Production Infrastructure
- Multi-AZ Deployment: ECS Fargate across 3 availability zones
- SSL/TLS Automation: ACM certificate management with DNS validation
- Origin Protection: ALB restricted to Cloudflare IP ranges only
- Container Security: Minimal images with runtime-native health checks
GitOps & Automation
- Atlantis GitOps: Infrastructure changes via pull request workflow
- GitHub OIDC: Keyless CI/CD authentication without long-lived credentials
- Automated Builds: Multi-platform container images with ECR deployment
┌─────────────────┐ ┌──────────────────┐ ┌─────────────────────────────────────┐
│ Internet │ │ Cloudflare │ │ AWS Infrastructure │
│ │ │ │ │ │
│ Global Users │───▶│ • CDN/Caching │───▶│ ┌─────────────────────────────────┐│
│ │ │ • DDoS Protection│ │ │ ALB ││
└─────────────────┘ │ • SSL Proxy │ │ │ • SSL Termination ││
└──────────────────┘ │ │ • Cloudflare IP Restricted ││
│ └─────────────────────────────────┘│
┌──────────────────────────────────────────────┤ │ │
│ GitOps Configuration Pipeline │ ▼ │
│ │ ┌─────────────────────────────────┐│
│ YAML Files ─▶ Atlantis ─▶ SSM ─▶ xDS ────────┤ │ Service Mesh ││
│ (GitHub) (GitOps) Store Control │ │ ││
│ │ │ ┌─────────────────────────────┐││
└──────────────────────────────────────────────┤ │ │ envoy-front │││
│ │ │ (Dynamic Routing) │││
┌──────────────────────────────────────────────┤ │ └─────────────────────────────┘││
│ ECS Fargate Tasks │ │ │ ││
│ │ │ ▼ ││
│ ┌───────────────┐ ┌─────────────────────┐ │ │ ┌─────────────────────────────┐││
│ │ envoy-ingress │─▶│ Application │ │ │ │ nickpage-tech │││
│ │ (Sidecar) │ │ (nickpage-tech) │ │ │ │ │││
│ └───────────────┘ └─────────────────────┘ │ │ │ ┌─────────────────────────┐ │││
│ ▲ │ │ │ │ │ envoy-ingress │ │││
│ │ ┌───────────────────┐ │ │ │ │ envoy-egress │ │││
│ Port 8000 │ envoy-egress │ │ │ │ │ application │ │││
│ │ (Sidecar) │ │ │ │ └─────────────────────────┘ │││
│ └───────────────────┘ │ │ └─────────────────────────────┘││
└──────────────────────────────────────────────┘ └─────────────────────────────────┘│
└─────────────────────────────────────┘
Service Mesh
- envoy-front: Front proxy with dynamic xDS configuration
- xds-control-plane: Custom Go service for dynamic routing configuration
- envoy-ingress/egress: Sidecar proxies for traffic management
- nickpage-tech: Next.js application with health endpoints
Security & Networking
- VPC: Multi-AZ private subnets with security group isolation
- ALB: SSL termination with Cloudflare IP restrictions
- ACM: Automated certificate management with DNS validation
- IAM: Least-privilege roles with GitHub OIDC integration
environments/production/
├── security/ # IAM roles, SSL certificates, GitHub OIDC
├── storage/ # ECR container registries
├── networking/ # VPC, subnets, security groups
├── platform/ # ECS cluster, ALB, service discovery
├── applications/ # Containerized services (envoy-front, xds-control-plane, nickpage-tech)
└── routing/ # GitOps-managed Envoy route configuration
containers/ # Docker containers and build scripts
modules/ # Reusable Terraform modules
.github/workflows/ # CI/CD automation (build-containers.yml)
atlantis.yaml # GitOps workflow configuration
Zero-Downtime Route Changes:
- Edit YAML configuration → Terragrunt deployment → Live traffic updates (30 seconds)
- No container rebuilds required for routing changes
- GitOps-managed configuration through pull request workflow
- Custom Go xDS control plane serves dynamic configuration to Envoy proxies
Route Management:
- Edit
environments/production/routing/envoy-routes/configs/config.yaml - Commit and apply via Atlantis:
atlantis apply - Routes automatically update in production
Supports prefix/exact path matching, cluster routing, direct responses, and per-route timeouts.
GitOps Workflow:
- Development: Edit infrastructure/container code, create pull request
- Review: Atlantis runs
terragrunt plan, validate in PR comments - Deploy: Comment
atlantis applyto deploy infrastructure changes - Automation: GitHub Actions builds/pushes containers, ECS updates services
Production Features:
- High Availability: Multi-AZ ECS Fargate deployment with auto-scaling
- Security: Cloudflare DDoS protection, origin IP restrictions, GitHub OIDC
- Monitoring: CloudWatch logging, health checks, infrastructure drift detection
- Cost Optimization: Serverless containers, spot capacity, resource right-sizing
This infrastructure demonstrates production-ready patterns for:
Service Mesh & Dynamic Routing
- Custom xDS control plane for zero-downtime configuration changes
- Envoy proxy sidecars with GitOps-managed routing
- Service discovery and load balancing at the mesh layer
Security & Compliance
- End-to-end encryption with automated certificate management
- Origin protection via Cloudflare IP allowlisting
- Keyless CI/CD with GitHub OIDC integration
- Zero-trust networking with service mesh isolation
Operational Excellence
- Infrastructure as Code with Terragrunt dependency management
- GitOps deployment workflow with Atlantis automation
- Multi-AZ high availability with auto-scaling
- Comprehensive monitoring and logging with CloudWatch
Scalability & Performance
- ECS Fargate serverless container platform
- Global CDN and edge caching via Cloudflare
- Container image optimization and health monitoring
- Cost optimization with spot capacity and right-sizing
Production Infrastructure: This setup powers nickpage.tech with enterprise-grade security, scalability, and operational practices.