docs/architecture/deployment.md

Deployment And Environment Isolation

This slice shows how dev and prod move from branch merges to environment-scoped AWS resources.

flowchart TB
    subgraph GitHub["GitHub"]
        DEV["dev branch"]
        PROD["prod branch"]
        PR["Pull request validation"]
        WF[".github/workflows/deploy.yml"]
    end

    subgraph Build["Build + Packaging"]
        DETECT["Detect changed components"]
        BUILDUI["Build UI when apps/ui changed"]
        BUILDDOCS["Render architecture docs when docs changed"]
        BUILDLAMBDA["Build changed Lambda modules"]
        ARTIFACTS["Upload jars to env-reef-a-matic-api"]
        SEEDJSON["Refresh seed JSON when reference modules change"]
    end

    subgraph Terraform["Terraform"]
        TFSTATE["S3 backend: terraform/env/reef-a-matic-api.tfstate"]
        APPLY["terraform apply for target env"]
        API["REST + WebSocket APIs"]
        LAMBDA["Lambda functions"]
        DDB["DynamoDB tables"]
        SQS["SQS queues"]
        S3["S3 buckets"]
        EVENT["EventBridge"]
        OBS["Observability resources"]
    end

    subgraph UI["Frontend Deploy"]
        RESOLVE["Resolve target AWS config"]
        GUARD["Prod guard rejects dev URLs, dev Cognito, dev domain"]
        UIS3["Sync dist to env-reef-a-matic-ui"]
        CF["Resolve CloudFront distribution by domain"]
        INVALIDATE["Invalidate /*"]
    end

    subgraph Docs["Architecture Docs Deploy"]
        DOCSBUILD["Generate static HTML from docs markdown + Mermaid"]
        DOCSS3["Sync to env-reef-a-matic-docs"]
        DOCSCF["CloudFront: docs.env.reefamatic.com"]
        DOCSACM["ACM DNS validated certificate"]
        DOCSINVALIDATE["Invalidate docs /*"]
    end

    subgraph Seed["Reference Data"]
        TESTLOAD["env-test-load-test-data"]
        DOSELOAD["dose/correction seed loaders"]
        TESTE["env-test-element: Oceamo + Triton ICP panels"]
        DOSEE["env-dose-element"]
        CORR["env-element-correction"]
    end

    PR --> WF
    DEV --> WF
    PROD --> WF
    WF --> DETECT
    DETECT --> BUILDUI
    DETECT --> BUILDDOCS
    DETECT --> BUILDLAMBDA
    BUILDLAMBDA --> ARTIFACTS
    ARTIFACTS --> APPLY
    DETECT --> APPLY
    APPLY --> TFSTATE
    APPLY --> API
    APPLY --> LAMBDA
    APPLY --> DDB
    APPLY --> SQS
    APPLY --> S3
    APPLY --> EVENT
    APPLY --> OBS
    BUILDUI --> RESOLVE
    RESOLVE --> GUARD
    GUARD --> UIS3
    UIS3 --> CF
    CF --> INVALIDATE
    BUILDDOCS --> DOCSBUILD
    DOCSBUILD --> DOCSS3
    APPLY --> DOCSACM
    APPLY --> DOCSCF
    DOCSS3 --> DOCSCF
    DOCSCF --> DOCSINVALIDATE
    DETECT --> SEEDJSON
    SEEDJSON --> TESTLOAD
    SEEDJSON --> DOSELOAD
    TESTLOAD --> TESTE
    DOSELOAD --> DOSEE
    DOSELOAD --> CORR

Key Rules

  • Pull requests build and validate but do not deploy.
  • Merging to dev deploys dev.
  • Merging to prod deploys prod.
  • Deployed UI config is resolved from AWS, not repo-level VITE_* values.
  • Prod UI builds fail if compiled assets contain known dev URLs, dev Cognito ids, or dev.reefamatic.com.
  • CloudFront invalidation is resolved by target domain.
  • Architecture markdown is rendered into static HTML and published behind private S3 plus CloudFront at docs.dev.reefamatic.com for dev and docs.reefamatic.com for prod.