Delivery (CI/CD & Runtime)

CI/CD Workflow (GitLab)

PR/MR touching apps/web/**orapps/api/**:

1. Build Docker image :sha → push to ECR.
2. Register ECS TaskDefinition (Fargate 0.25 vCPU / 0.5GB).
3. Create TargetGroup (ip/HTTP/port) with health check:
   • Web: GET /api/health
   • API: GET /health
4. Create/Update ECS Service (desired=1) → TG.
5. Add/Update ALB rule: host web-pr-<iid>.qa.domain / api-pr-<iid>.qa.domain → TG.
6. Print preview URL in logs/comment.

Merge to main:

• Build changed apps, ecs update-service prod → same image SHA.
• Tag release (Conventional Commits → semver bump).

Close/Merge MR:

• Destroy preview: delete ALB rule + TG, desiredCount=0, delete service.

Scheduled TTL cleanup (hourly/nightly):

• Auto-delete previews older than N hours (or scale to 0), remove rules/TGs.

Runtime Config (FE ↔ BE pairing)

• Do not bake API hosts at build; server reads process.env.API_BASE_URL.
• For client code, inject runtime config via <Script> in layout (apiBaseUrl).
• For matched previews, set FE env: API_BASE_URL=https://api-pr-<iid>.qa.domain.

App Build Images

Next.js (apps/web)

• next.config.js: output: 'standalone'.
• Dockerfile: two‑stage; copy .next/standalone, .next/static, public; CMD node server.js.
• Health route at /api/health.

NestJS (apps/api)

• Expose container port 3000 (or configured port).
• Provide /health endpoint for ALB checks.

CI/CD Variables (set once)

• AWS_DEFAULT_REGION
• ECR_URI
• ALB_HTTP_LISTENER_ARN
• ECS_VPC_ID, ECS_SUBNETS, ECS_SECURITY_GROUPS
• ECS_EXEC_ROLE_ARN, ECS_TASK_ROLE_ARN
• QA_DOMAIN (e.g., qa.yourdomain.com)
• App env: API_BASE_URL (task def), others via Secrets Manager

Naming (and app‑layer security notes)

Naming

• Services: web-prod, api-prod, web-pr-<iid>, api-pr-<iid>
• Log groups: /ecs/cazvid-web, /ecs/cazvid-api
• Hostnames: web-pr-<iid>.qa.domain, api-pr-<iid>.qa.domain

App‑layer Security

• Cookies secure in prod; trust ALB x-forwarded-*.