Deployment Architecture
Diagram
Resources
The backend stack provisions 21 resources. Conditional resources are created only when their associated feature flag is enabled.
| Logical ID | Type | Description |
|---|---|---|
PassengersTable | AWS::DynamoDB::Table | DynamoDB table for passenger data with PAY_PER_REQUEST billing and SSE enabled. Conditional: created only when EnablePassengersTable=true. |
LambdaExecutionRole | AWS::IAM::Role | Per-function execution role with least-privilege policies. Includes conditional policies for DynamoDB, SQS, and always-on policies for ECR pull, Bedrock invocation, and CloudWatch metrics. |
LambdaFunction | AWS::Lambda::Function | Container-packaged Lambda function. Receives environment variables for auth configuration, invoke mode, namespace, environment, and optionally SQS queue URL. Reserved concurrency set to 50. |
LambdaLogGroup | AWS::Logs::LogGroup | CloudWatch log group for Lambda function output. Retention set to 30 days. |
HttpApi | AWS::ApiGatewayV2::Api | HTTP API (API Gateway v2) with CORS configuration allowing GET, POST, PUT, DELETE, and OPTIONS methods. |
JwtAuthorizer | AWS::ApiGatewayV2::Authorizer | JWT authorizer configured with the Cognito issuer URL and client ID. Extracts tokens from the Authorization header. |
BufferedIntegration | AWS::ApiGatewayV2::Integration | AWS_PROXY integration for standard (buffered) routes. 30-second timeout. Payload format version 2.0. |
StreamingIntegration | AWS::ApiGatewayV2::Integration | AWS_PROXY integration for SSE streaming routes. 30-second timeout. Payload format version 2.0. |
GetRoute | AWS::ApiGatewayV2::Route | GET /{proxy+} route using the buffered integration with JWT authorization. |
PostRoute | AWS::ApiGatewayV2::Route | POST /{proxy+} route using the buffered integration with JWT authorization. |
PutRoute | AWS::ApiGatewayV2::Route | PUT /{proxy+} route using the buffered integration with JWT authorization. |
DeleteRoute | AWS::ApiGatewayV2::Route | DELETE /{proxy+} route using the buffered integration with JWT authorization. |
SseRoute | AWS::ApiGatewayV2::Route | GET /api/v1/sse/{proxy+} route using the streaming integration with JWT authorization. |
DefaultStage | AWS::ApiGatewayV2::Stage | prod stage with auto-deploy enabled and structured JSON access logging. |
LambdaInvokePermission | AWS::Lambda::Permission | Grants API Gateway permission to invoke the Lambda function. Scoped to the specific HTTP API. |
ApiGatewayLogGroup | AWS::Logs::LogGroup | CloudWatch log group for API Gateway access logs. Retention set to 30 days. |
ApplicationErrorsFilter | AWS::Logs::MetricFilter | Metric filter on the Lambda log group that matches ERROR log lines and emits an ApplicationErrorCount metric. |
UnhandledExceptionsFilter | AWS::Logs::MetricFilter | Metric filter on the Lambda log group that matches structured JSON exceptions and Python tracebacks, emitting an UnhandledExceptionCount metric. |
HighErrorRateAlarm | AWS::CloudWatch::Alarm | Fires when ApplicationErrorCount reaches 5 or more within a 5-minute period. Alarm actions require AlarmSnsTopicArn to be set. |
HighExceptionRateAlarm | AWS::CloudWatch::Alarm | Fires when UnhandledExceptionCount reaches 5 or more within a 5-minute period. Alarm actions require AlarmSnsTopicArn to be set. |
AppDashboard | AWS::CloudWatch::Dashboard | CloudWatch dashboard with four widget sections: Application Errors (custom metrics), Lambda Health (invocations, duration percentiles, errors, throttles), API Gateway (requests, latency, 4xx/5xx errors), and Bedrock Usage (token counts, latency, throttles). |