AWS Account Structure
Purpose
This document defines the AWS account organization and environment strategy for the Farmer1st platform.
Current State
Account Hierarchy
┌─────────────────────────────────────────────────────────────────────────────┐
│ AWS ORGANIZATION │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────┐ │
│ │ MASTER ACCOUNT │ │
│ │ (Organization) │ │
│ │ │ │
│ │ • Billing consolidation │ │
│ │ • Organization policies │ │
│ │ • No services deployed │ │
│ │ • IAM Identity Center │ │
│ └──────────────┬──────────────┘ │
│ │ │
│ ┌──────────────────────┼──────────────────────┐ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ DEV ACCOUNT │ │ STAGING ACCOUNT │ │ PROD ACCOUNT │ │
│ │ │ │ │ │ │ │
│ │ farmer1st.dev │ │ farmer1st.tech │ │ farmer1st.org │ │
│ │ │ │ │ │ │ │
│ │ • Development │ │ • Pre-prod │ │ • Production │ │
│ │ • Experiments │ │ • QA/Testing │ │ • Live users │ │
│ │ • CI testing │ │ • Staging │ │ • Full scale │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Environment to Domain Mapping
| Environment |
AWS Account |
Domain |
Purpose |
| Development |
Dev |
farmer1st.dev |
Development, experimentation, CI |
| Staging |
Staging |
farmer1st.tech |
Pre-production, QA, UAT |
| Production |
Prod |
farmer1st.org |
Live environment, real users |
Decisions and Rationale
Multi-Account Strategy
| Decision |
Rationale |
| Separate accounts per environment |
Blast radius isolation, independent IAM, clear billing separation |
| Master account for org only |
Security best practice, no workloads in management account |
| Three environments |
Standard dev → staging → prod promotion path |
Domain Strategy
| Decision |
Rationale |
.dev for development |
Clear indication of non-production, Google-owned TLD with HSTS |
.tech for staging |
Distinct from prod, signals technical/testing environment |
.org for production |
Trust signal for farmers, non-commercial appearance for agricultural mission |
Environment Characteristics
Development (farmer1st.dev)
| Aspect |
Configuration |
| Purpose |
Developer testing, feature branches, CI pipelines |
| Data |
Synthetic/anonymized data only |
| Access |
Engineering team |
| Uptime SLA |
None (can be torn down) |
| Cost optimization |
Aggressive (spot instances, scale to zero) |
| Deployment |
Continuous from feature branches |
Staging (farmer1st.tech)
| Aspect |
Configuration |
| Purpose |
Pre-production validation, QA, UAT, performance testing |
| Data |
Anonymized production-like data |
| Access |
Engineering + QA + Product |
| Uptime SLA |
Business hours |
| Cost optimization |
Moderate (smaller than prod, but stable) |
| Deployment |
From main/release branches |
Production (farmer1st.org)
| Aspect |
Configuration |
| Purpose |
Live platform serving real farmers |
| Data |
Real production data |
| Access |
Restricted (ops + on-call) |
| Uptime SLA |
99.9%+ target |
| Cost optimization |
Balanced (reliability over savings) |
| Deployment |
Controlled releases, feature flags |
Infrastructure per Account
Each account contains isolated instances of:
┌─────────────────────────────────────────────────────────────┐
│ EACH ACCOUNT CONTAINS │
├─────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ EKS Fargate Cluster │ │
│ │ • API Services (Python) │ │
│ │ • SuperTokens │ │
│ │ • Temporal │ │
│ │ • Unleash │ │
│ └─────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Data Services │ │
│ │ • RDS PostgreSQL │ │
│ │ • ElastiCache Redis (or self-managed) │ │
│ │ • MSK (Kafka) │ │
│ └─────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Networking │ │
│ │ • VPC │ │
│ │ • Cloudflare Tunnel endpoint │ │
│ │ • Private subnets │ │
│ └─────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────┘
Cloudflare Integration
┌───────────────────────────────────────────────────────────────────────────┐
│ CLOUDFLARE CONFIGURATION │
├───────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ farmer1st.dev │ │ farmer1st.tech │ │ farmer1st.org │ │
│ │ │ │ │ │ │ │
│ │ Cloudflare Zone │ │ Cloudflare Zone │ │ Cloudflare Zone │ │
│ └────────┬────────┘ └────────┬────────┘ └────────┬────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Cloudflare │ │ Cloudflare │ │ Cloudflare │ │
│ │ Pages (PWA) │ │ Pages (PWA) │ │ Pages (PWA) │ │
│ │ │ │ │ │ │ │
│ │ app.farmer1st │ │ app.farmer1st │ │ app.farmer1st │ │
│ │ .dev │ │ .tech │ │ .org │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Cloudflare │ │ Cloudflare │ │ Cloudflare │ │
│ │ Tunnel → AWS │ │ Tunnel → AWS │ │ Tunnel → AWS │ │
│ │ Dev Account │ │ Staging Account │ │ Prod Account │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │
└───────────────────────────────────────────────────────────────────────────┘
Suggested Subdomain Structure
| Subdomain |
Purpose |
Example (Prod) |
app. |
Farmer PWA |
app.farmer1st.org |
portal. |
Stakeholder portals |
portal.farmer1st.org |
api. |
Backend API (via Tunnel) |
api.farmer1st.org |
auth. |
SuperTokens |
auth.farmer1st.org |
admin. |
Internal admin tools |
admin.farmer1st.org |
Cross-Account Considerations
What Should NOT Cross Accounts
- Production data → never in dev/staging
- Direct network connectivity between environments
- Shared credentials
What MAY Cross Accounts
- Container images (ECR replication or shared registry)
- Infrastructure-as-Code modules
- Secrets management patterns (but not actual secrets)
- Monitoring dashboards (read-only from master)
Open Questions
Dependencies
- Cloudflare account with all three domains
- AWS Organizations configured
- Infrastructure-as-Code tooling (TBD)
Last Updated: 2025-12-25