AWS Deployment

Step-by-step guide for deploying AskGov on AWS infrastructure

TODO: proofread + prune. I just copypasted this section from Claude as is. high chance of hallucination + too much verbosity

This guide provides AskGov-specific guidance for AWS deployment. We assume you're familiar with AWS services and focus on AskGov-specific requirements and best practices.

Deployment Duration: 4-6 hours (excluding DNS propagation) Complexity Level: Intermediate to Advanced Prerequisites: AWS account with appropriate permissions, familiarity with AWS services

Note: This guide focuses on AskGov-specific configurations. For general AWS setup instructions, refer to AWS documentation.

Pre-Deployment Checklist

Required AWS Services

Prerequisites

AWS CLI configured
Domain name registered
SSL certificate in ACM
Docker image repository (ECR)

Architecture Overview

Step 1: Network Infrastructure

Key Considerations for AskGov

Multi-AZ deployment for high availability
Private subnets for application and database tiers
Public subnets only for load balancer and NAT gateways
Strict security groups limiting traffic between tiers

Security Groups Required

ALB Security Group
- Inbound: 80, 443 from internet
- Outbound: 8080 to App Security Group
App Security Group
- Inbound: 8080 from ALB Security Group
- Outbound: 5432/26257 to DB, 6379 to Redis, 443 to internet
Database Security Group
- Inbound: 5432/26257 from App Security Group only
- No outbound rules needed
Redis Security Group
- Inbound: 6379 from App Security Group only

Step 2: Database Setup

Option A: RDS PostgreSQL (Simpler)

Specifications for AskGov:

Engine: PostgreSQL 14+
Instance: db.t3.medium minimum (adjust based on load)
Storage: 100GB GP3 SSD, encrypted
Multi-AZ: Required for production
Automated backups: 30-day retention

AskGov-specific configurations:

-- After RDS creation, run these optimizations
ALTER SYSTEM SET max_connections = 200;
ALTER SYSTEM SET shared_buffers = '256MB';
ALTER SYSTEM SET effective_cache_size = '1GB';

Option B: CockroachDB on EC2 (Full Compatibility)

Why CockroachDB for AskGov:

Full compatibility with AskGov's Prisma schemas
Better horizontal scaling for large deployments
Built-in geo-replication capabilities

Minimum 3-node cluster:

Instance type: m5.xlarge
Storage: 500GB SSD per node
Placement: Different AZs

Step 3: Cache Layer (Redis)

ElastiCache Configuration for AskGov

Cache strategy:

Session storage
Search results caching (5-minute TTL)
Rate limiting counters
Popular questions cache

Recommended setup:

Node type: cache.t3.micro for < 100k users
Node type: cache.r6g.large for > 100k users
Parameter group: Custom with maxmemory-policy allkeys-lru

Step 4: Search Engine (Weaviate)

Weaviate Deployment Considerations

Important: Weaviate requires dedicated EC2 instance (no managed service available)

Instance requirements:

t3.large minimum (4GB RAM for vectorization)
Persistent EBS volume for data
Private subnet deployment

AskGov-specific Weaviate configuration:

# Environment variables for Weaviate
AUTHENTICATION_APIKEY_ENABLED: true
AUTHENTICATION_APIKEY_ALLOWED_KEYS: <generate-strong-key>
DEFAULT_VECTORIZER_MODULE: text2vec-openai  # For production
# Or text2vec-transformers for self-hosted vectorization
ENABLE_MODULES: text2vec-openai,text2vec-transformers

Step 5: Application Deployment

Container Configuration

Docker image considerations:

Multi-stage build to minimize size
Non-root user for security
Health check endpoint included

ECS Task Definition Key Settings

{
  "cpu": "1024",
  "memory": "2048",
  "containerDefinitions": [{
    "name": "askgov",
    "essential": true,
    "portMappings": [{"containerPort": 8080}],
    "healthCheck": {
      "command": ["CMD-SHELL", "curl -f http://localhost:8080/health || exit 1"],
      "interval": 30,
      "timeout": 5,
      "retries": 3
    }
  }]
}

Environment Variables in Secrets Manager

Store these securely:

DATABASE_URL - Full connection string
SESSION_SECRET - 32+ character random string
REDIS_URL - ElastiCache endpoint
WEAVIATE_API_KEY - Weaviate authentication
VECTORIZER_API_KEY - OpenAI/Cohere key if using

Step 6: Load Balancer Configuration

ALB Settings for AskGov

Target Group Configuration:

Health check path: /health or /
Health check interval: 30 seconds
Deregistration delay: 30 seconds (for graceful shutdown)

Listener Rules:

HTTP → HTTPS redirect
Host-based routing if multiple agencies
Path-based routing for API vs frontend

Step 7: Storage Configuration

S3 Buckets Required

askgov-uploads - User file uploads
- Versioning: Enabled
- Encryption: SSE-S3
- Lifecycle: Archive after 90 days
askgov-exports - Data exports
- Encryption: SSE-KMS
- Access: Restricted to app role
askgov-backups - Database backups
- Encryption: SSE-KMS
- Lifecycle: Delete after retention period
- Cross-region replication recommended

Step 8: Post-Deployment Tasks

8.1 Database Initialization

# Connect to ECS task
aws ecs execute-command --cluster askgov --task <task-id> --container askgov --interactive --command "/bin/sh"

# Run migrations
npx prisma migrate deploy

# Seed initial data (if needed)
npx prisma db seed

8.2 Weaviate Search Initialization

# Create search class for questions
curl -X POST https://your-domain/hybrid/classes \
  -H "Authorization: Bearer $SUPERADMIN_TOKEN" \
  -F "className=Question_v1"

8.3 Create First Admin User

# Via application API or database
curl -X POST https://your-domain/api/v1/superadmin/users \
  -H "Authorization: Bearer $SUPERADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"email": "[email protected]", "role": "superadmin"}'

Step 9: Monitoring Setup

CloudWatch Dashboards

Create dashboards for:

Application metrics (CPU, memory, request count)
Database performance (connections, query time)
Search latency (Weaviate response times)
User activity (questions created, searches performed)

Key Alarms to Configure

High CPU Usage (> 70% for 5 minutes)
Memory Pressure (> 85%)
Database Connection Pool (> 80% utilized)
4XX/5XX Error Rate (> 1% of requests)
Search Latency (> 1 second p99)

Logging Strategy

Application logs → CloudWatch Logs
Access logs → S3 with analysis via Athena
Security events → CloudWatch Logs with alerts
Audit logs → Separate encrypted log group

Step 10: Backup and Disaster Recovery

Backup Components

Database: Automated RDS backups + manual snapshots
Application State: S3 versioning for uploads
Configuration: Infrastructure as Code in Git
Search Index: Periodic Weaviate exports

Recovery Time Objectives

RTO: 4 hours (full recovery)
RPO: 1 hour (maximum data loss)

Performance Optimization

Scaling Triggers

Configure auto-scaling based on:

CPU utilization > 70%
Memory utilization > 80%
Request count > threshold
Queue depth (if using SQS)

Caching Strategy

CloudFront: Static assets, 30-day cache
Redis: Session data, search results (5 min), popular questions (1 hour)
Application: In-memory cache for frequently accessed data

Security Hardening

AWS-Specific Security

Enable AWS WAF with managed rule sets
Configure AWS Shield for DDoS protection
Use AWS Systems Manager for patch management
Enable VPC Flow Logs for network monitoring
Configure AWS GuardDuty for threat detection

Compliance Features

AWS CloudTrail: API audit logging
AWS Config: Compliance monitoring
AWS Security Hub: Centralized security view
AWS Macie: Sensitive data discovery (if needed)

Cost Optimization

Cost Reduction Strategies

Use Spot Instances for non-critical workloads
Reserved Instances for predictable workloads (up to 72% savings)
S3 Intelligent-Tiering for automatic cost optimization
Scheduled scaling for non-production environments
Right-sizing based on CloudWatch metrics

Estimated Monthly Costs

Deployment Size

Users

Estimated Cost

Small

< 100k

$500-800

Medium

100k-1M

$1,500-2,500

Large

> 1M

$4,000-8,000

Note: Costs vary by region and usage patterns

Troubleshooting

Common Issues

ECS Tasks Not Starting

Check task role permissions
Verify secrets/environment variables
Review CloudWatch logs
Ensure health checks pass

Database Connection Issues

Verify security group rules
Check RDS parameter group settings
Confirm password in Secrets Manager
Test from bastion host

Search Not Working

Verify Weaviate is running
Check API key configuration
Ensure vectorization module is loaded
Review Weaviate logs

High Memory Usage

Review Node.js heap settings
Check for memory leaks
Scale horizontally
Optimize database queries

Migration Checklist

Before Going Live

Deployment Complete! Your AskGov instance is now running on AWS.

Next Steps:

Configure monitoring dashboards
Set up automated backups
Review Security Guide for additional hardening
Customize branding (Component Customization)

Last updated 9 months ago

Was this helpful?

hashtagPre-Deployment Checklist

hashtagRequired AWS Services

hashtagPrerequisites

hashtagArchitecture Overview

hashtagStep 1: Network Infrastructure

hashtagKey Considerations for AskGov

hashtagSecurity Groups Required

hashtagStep 2: Database Setup

hashtagOption A: RDS PostgreSQL (Simpler)

hashtagOption B: CockroachDB on EC2 (Full Compatibility)

hashtagStep 3: Cache Layer (Redis)

hashtagElastiCache Configuration for AskGov

hashtagStep 4: Search Engine (Weaviate)

hashtagWeaviate Deployment Considerations

hashtagStep 5: Application Deployment

hashtagContainer Configuration

hashtagECS Task Definition Key Settings

hashtagEnvironment Variables in Secrets Manager

hashtagStep 6: Load Balancer Configuration

hashtagALB Settings for AskGov

hashtagStep 7: Storage Configuration

hashtagS3 Buckets Required

hashtagStep 8: Post-Deployment Tasks

hashtag8.1 Database Initialization

hashtag8.2 Weaviate Search Initialization

hashtag8.3 Create First Admin User

hashtagStep 9: Monitoring Setup

hashtagCloudWatch Dashboards

hashtagKey Alarms to Configure

hashtagLogging Strategy

hashtagStep 10: Backup and Disaster Recovery

hashtagBackup Components

hashtagRecovery Time Objectives

hashtagPerformance Optimization

hashtagScaling Triggers

hashtagCaching Strategy

hashtagSecurity Hardening

hashtagAWS-Specific Security

hashtagCompliance Features

hashtagCost Optimization

hashtagCost Reduction Strategies

hashtagEstimated Monthly Costs

hashtagTroubleshooting

hashtagCommon Issues

hashtagMigration Checklist

hashtagBefore Going Live

Pre-Deployment Checklist

Required AWS Services

Prerequisites

Architecture Overview

Step 1: Network Infrastructure

Key Considerations for AskGov

Security Groups Required

Step 2: Database Setup

Option A: RDS PostgreSQL (Simpler)

Option B: CockroachDB on EC2 (Full Compatibility)

Step 3: Cache Layer (Redis)

ElastiCache Configuration for AskGov

Step 4: Search Engine (Weaviate)

Weaviate Deployment Considerations

Step 5: Application Deployment

Container Configuration

ECS Task Definition Key Settings

Environment Variables in Secrets Manager

Step 6: Load Balancer Configuration

ALB Settings for AskGov

Step 7: Storage Configuration

S3 Buckets Required

Step 8: Post-Deployment Tasks

8.1 Database Initialization

8.2 Weaviate Search Initialization

8.3 Create First Admin User

Step 9: Monitoring Setup

CloudWatch Dashboards

Key Alarms to Configure

Logging Strategy

Step 10: Backup and Disaster Recovery

Backup Components

Recovery Time Objectives

Performance Optimization

Scaling Triggers

Caching Strategy

Security Hardening

AWS-Specific Security

Compliance Features

Cost Optimization

Cost Reduction Strategies

Estimated Monthly Costs

Troubleshooting

Common Issues

Migration Checklist

Before Going Live