Skip to content

Phase 7: Post-deployment hardening, cleanup, and operational follow-ups #68

Description

@robert-7

Overview

Track remaining hardening, cleanup, and operational follow-up items after Phases 1-4. This issue intentionally excludes:

The app is deployed and reachable, but there are several follow-up items that should be addressed to improve security, reliability, and maintainability.

Follow-up tasks

Security and network hardening

  • Tighten MongoDB Atlas IP access list
    • Remove temporary 0.0.0.0/0 allowlist entry once a stable egress path exists
    • Remove stale laptop IP entries that are no longer needed
  • Move ECS tasks to private subnets
    • Keep ALB in public subnets
    • Place ECS tasks in private subnets
    • Route outbound traffic through a NAT Gateway
  • Disable public IP assignment on ECS tasks after private subnet migration
  • Re-evaluate ECS task outbound rules after private-subnet migration
    • Keep only the minimum required egress for Atlas and AWS APIs

TLS / HTTPS

  • Add ACM certificate for a real domain
  • Add HTTPS listener on ALB (443)
  • Redirect HTTP (80) to HTTPS (301)
  • Validate secure cookie / session behavior over HTTPS end-to-end

Observability and operations

  • Enable ALB access logs to S3
  • Review CloudWatch logging for useful app-level error visibility
  • Add CloudWatch alarms for:
    • unhealthy target count
    • ECS task restart / deployment failure
    • high 5xx rate
  • Add a simple runbook for:
    • where to find ECS service events
    • where to find CloudWatch logs
    • where to check target group health
    • where to check Atlas connectivity issues

Application/runtime cleanup

  • Review whether MongoDB Atlas connectivity can be made more explicit/documented
    • App currently requires outbound port 27017 to Atlas hosts
  • Confirm whether any additional routes beyond /index should be used for health or smoke testing
  • Consider whether a dedicated app health endpoint would be better than using /index

Cost / environment management

  • Document when it is safe to set ECS desired count to 0 to reduce demo costs
  • Decide whether ALB should remain always-on or only for active demo periods

Documentation

  • Update architecture / deployment docs to reflect the final AWS networking model actually used
  • Document the ALB + target group + ECS subnet alignment requirement
  • Document the Atlas connectivity requirement and why outbound 27017 is needed

Notes

These are follow-up hardening and cleanup items only. They should not block the fact that:

  • the ALB path is working
  • ECS service is healthy
  • target group health checks are passing
  • DB-backed routes are functioning after allowing Atlas connectivity

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestinfrastructureAWS and infrastructure changessecuritySecurity vulnerability or hardening

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions