Recently, Team Work Spirit designed and implemented a solution for development and production environments using a unique approach and an unconventional combination of technologies. We’d love to share our experience with other teams considering building complex architecture in AWS.
About the Client: Fundopolis
Fundopolis, our client, is building a new approach to investing—a financial system and community that makes investing simpler, more accessible, and more enjoyable. Their goal is to empower everyone to invest in the people and ideas that matter most to them.
Our Role
As the DevOps team, our task was to define and implement the hosting setup for development, staging, production, and CI/CD environments—all fully cloud-based.
Technologies Used
-
AWS (VPC, CloudTrail, IAM, ECS, ELB, CloudWatch, EC2, ASG, ECR, RDS, S3, S3 Glacier, KMS, DAX, Route 53, CloudFront, CloudFormation, AWS Backup, DynamoDB)
-
Jenkins
-
Apache ModSecurity proxy
-
OpenVPN AS for managing access to different parts of the application
-
Cloudflare for web app protection and performance optimization
-
Docker
-
Graylog
-
Zabbix
-
Grafana
-
Varnish
-
Custom webhooks for third-party services (Auth0, Netki)
Project Delivery Phases
-
Assessment and Planning
We began with an analysis of hosting requirements based on the system architecture and deployment roadmap. This phase included creating a hosting plan, selecting AWS services for each environment, defining security configurations, and outlining future scalability. -
Development Environment Setup
We implemented the development environment using Infrastructure as Code (IaC) principles to ensure repeatability and consistency. -
CI/CD and Production Environment
We built CI/CD pipelines and implemented the production environment using the same IaC approach.
Challenges and Solutions
-
Monitoring
We chose Zabbix for monitoring all nodes, as it provides more comprehensive metrics than AWS CloudWatch. However, Zabbix does not natively support Amazon Linux (used in ECS clusters). To address this, we deployed Zabbix agents inside Docker containers running on ECS instances. This allowed us to use standard images instead of building the agents from source. -
IAM Roles and Policies
Defining and assigning proper IAM roles and policies took considerable time. We needed to manage cross-account access with strict limitations, ensuring only specific users could assume certain roles. This involved configuring trust relationships and permission boundaries across three AWS accounts. -
KMS Integration
We integrated AWS KMS with S3 and IAM to control access to encrypted data. Each file replication process involved both a decryption key (for the source region) and an encryption key (for the destination region). We created a CloudFormation template to automate key creation and assignment during deployment. -
ECS Configuration
All services were launched using EC2 user data scripts. As a result, the CloudFormation templates required precise attention to detail to ensure smooth deployments.
Project Complexity
One of the primary challenges was managing three separate AWS accounts, all integrated through centralized Jenkins pipelines for CI/CD. Additionally, Graylog was configured to collect logs from services running across all three accounts, adding another layer of complexity to the architecture.
Conclusion
Working on this project with Fundopolis was both exciting and challenging. It gave us the opportunity to dive deep into AWS and bring together a powerful mix of tools to support a secure, scalable, and cloud ecosystem.
From juggling multiple AWS accounts to fine-tuning IAM roles and getting around monitoring limitations, we tackled some tough problems—but the results were worth it. With everything running through Infrastructure as Code, and a solid CI/CD pipeline in place, the setup is not only efficient but also easy to maintain and scale as the platform grows.
If your team is facing similar challenges or thinking about building something complex in the cloud, we’re happy to share more of what we’ve learned along the way.
