feat(pulumi): add AWS infrastructure code and deployment guide

[bhagyashreewagh]

This PR adds end-to-end AWS deployment and infrastructure documentation for the Antenna platform, along with safe templates for deployment configuration and a small test fixture update to support S3 vs MinIO.

Closes: #967

What’s Included

Documentation

• New aws-infra/README.md covering the full Antenna platform deployment:

  • Elastic Beanstalk multi-container backend (Django API, Celery Worker/Beat, Flower, ML services, awscli helper)
  • ECR repositories and image/tag workflow
  • RDS PostgreSQL configuration
  • ElastiCache Redis (TLS) configuration
  • IAM roles/policies used by Elastic Beanstalk
  • VPC/subnets/security group relationships
  • Backend deployment workflow (Docker -> ECR -> EB bundle -> EB deploy)
  • Validation + common debugging (Redis TLS, EB health checks, migrations)
  • Frontend deployment overview (S3 + CloudFront) and /api/* proxying to EB
  • Future improvements (Secrets Manager, CI/CD, least privilege IAM, HA options)

Deployment templates (no secrets)

• .ebextensions/00_setup.config template with placeholders (no credentials committed)
• Dockerrun.aws.json template with placeholders for account/region/image tags and runtime config

Code change

• Updated ami/tests/fixtures/storage.py to support:

  • AWS S3 when DJANGO_AWS_* settings are present (Elastic Beanstalk/prod-like env)
  • MinIO fallback when AWS settings are not present (local/test)

Why This Matters

The project previously lacked cohesive, end-to-end infrastructure documentation. These additions make it easier for maintainers and contributors to reproduce the deployment, understand AWS resource relationships, and safely operate/update the platform.

Notes

• Docs-focused PR; includes a minor test-fixture update for S3/MinIO compatibility.
• No secrets or credentials are committed, templates use placeholders only.

Summary by CodeRabbit

Release Notes

• New Features

  • Added comprehensive AWS infrastructure deployment framework supporting multi-container applications with Django API, Celery workers, and ML services.
  • Implemented automated provisioning of RDS PostgreSQL, ElastiCache Redis, ECR repositories, and Elastic Beanstalk environments.
  • Added CloudFront distribution for UI delivery with S3 backend and API proxying.
  • Included secrets management, IAM roles, networking infrastructure, and S3 storage configuration.

• Documentation

  • Added AWS deployment architecture guide and step-by-step Pulumi installation instructions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[netlify]

✅ Deploy Preview for antenna-preview canceled.

Name	Link
🔨 Latest commit	671d254
🔍 Latest deploy log	https://app.netlify.com/projects/antenna-preview/deploys/697c46c575bd59000821b232

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds AWS infrastructure documentation, Elastic Beanstalk deployment templates, an empty IAM policy placeholder, and a new dual-mode S3 test/demo storage module with helpers to create and populate S3/MinIO buckets.

Changes

Cohort / File(s)	Summary
Infrastructure guide aws-infra/README.md	New comprehensive AWS infra and deployment guide covering architecture (Elastic Beanstalk / Docker on ECS, ECR, RDS PostgreSQL, ElastiCache Redis with TLS, S3, CloudFront), deployment workflow, environment variables, networking, health checks, CloudFront origins/invalidations, troubleshooting, and hardening/automation recommendations.
EB config templates aws-infra/configurations/.ebextensions/00_setup.config_template, aws-infra/configurations/Dockerrun.aws.json_template	New Elastic Beanstalk .ebextensions template (env vars, health checks, migration leader command, volume size) and a multi-container Dockerrun template defining Django, Celery worker/beat, Flower, awscli, and ml-backend service containers with environment wiring and port mappings.
IAM policy placeholder aws-infra/policies/iam_elastic_beanstalk_policy.json	New empty file added as a placeholder for an Elastic Beanstalk IAM policy.
S3 test/demo storage module aws-infra/modifications/storage.py	New Python module providing dual-mode S3 config (real AWS vs MinIO), functions create_storage_source(project, name, prefix) and populate_bucket(config, ...) to create/retrieve S3StorageSource entries, verify/write to prefixes, and optionally generate/upload demo image frames to S3.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Review aws-infra/modifications/storage.py for AWS vs MinIO detection, prefix verification logic, exception handling, and logging of credentials/URLs.
• Validate .ebextensions and Dockerrun templates for correct env var names, port mappings, container commands, and leader-migration command safety.
• Scan aws-infra/README.md for alignment with repository deployment practices and any security/hardening recommendations to enforce.
• Decide next steps for the empty iam_elastic_beanstalk_policy.json (populate, reference, or remove).

Poem

🐰 I hopped through docs, templates, buckets bright,
Wove configs, seeds, and demo frames at night.
If S3 smiles or MinIO sings,
I stitch the keys and lift the things—
A rabbit cheers: deploy with gentle might. 🥕✨

🚥 Pre-merge checks | ❌ 3

❌ Failed checks (1 warning, 2 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Description check	❓ Inconclusive	The PR description covers the main objectives, includes issue reference, and provides context, but lacks testing instructions, screenshots, deployment notes detail, and checklist items as specified in the template.	Add testing instructions, deployment notes with specific steps (if needed), and complete the provided checklist items to fully meet the template requirements.
Title check	❓ Inconclusive	The PR title describes adding AWS infrastructure code, but the PR objectives clarify it is primarily a documentation PR. The title partially captures the main changes but omits the significant documentation focus.	Consider updating the title to better reflect the primary focus on documentation, such as 'docs: add AWS deployment guide and infrastructure documentation' to match the PR's actual scope.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[carlosgjs]

is v10 an example version number? If so maybe add a small note about how to think about and use container versions

[bhagyashreewagh]

Yes, v10 is just an example. I’ll add a note explaining how contributors should choose version numbers so it's clear and consistent.

[carlosgjs]

how?

[bhagyashreewagh]

Added a section that explains exactly how each validation step was performed (API 200 check, EB health check, Worker/Beat logs, and Flower UI access). This clarifies how each item was confirmed during deployment.

[carlosgjs]

can we add example versions of these files?

[bhagyashreewagh]

Absolutely! Some of these files may contain secrets, so I’ll sanitize the sensitive parts and upload minimal example versions.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (5)

aws-infra/README.md (5)

41-43: Minor: Improve sentence structure for formal documentation tone.

The text uses an implied subject in the second sentence. Consider making the subject explicit:

- Environment type:
-  - Single-instance environment (used for development/testing to reduce cost). 
-  - Can be upgraded later to a load-balanced environment for production.
+ Environment type:
+  - Single-instance environment (used for development/testing to reduce cost).
+  - This can be upgraded later to a load-balanced environment for production.

---

55-58: Optional: Tighten the explanatory note for conciseness.

The phrase "originally created for" is slightly verbose. Consider simplifying:

-  - Additional outbound egress security group  
-    *(originally created for App Runner, now reused for EB networking)*
+  - Additional outbound egress security group  
+    *(created for App Runner, reused for EB networking)*

---

334-341: Fix: Add missing language specifiers to code blocks and tighten adverb usage.

Several code blocks are missing language identifiers, and one sentence has redundant adverb usage:

1. Line 339: Remove repeated adverb for conciseness:

- Celery worker connects to Redis successfully
- Celery Beat schedules run successfully
+ Celery worker connects to Redis
+ Celery Beat schedules run successfully

2. Lines 351, 362, 396, 411, 425: Add language specifiers to fenced code blocks. For example:

At line 351, change:

- ```
+ ```bash

Apply the same fix to lines 362 (bash), 396 (bash), 411 (bash), and 425 (bash or html).

3. Line 343: Remove blank line inside blockquote before "How to validate..." explanation for proper markdown formatting.

---

248-260: Fix: Reduce repetitive adjective usage in least-privilege recommendations.

Lines 254-255 use the word "only" twice in consecutive bullet points. Vary the language:

- Restricting S3 access to only specific buckets  
- Restricting ECR access to only required repositories  
- Minimizing CloudWatch permissions  
+ Restricting S3 access to specific buckets  
+ Restricting ECR access to required repositories  
+ Minimizing CloudWatch permissions  

---

522-524: Fix: Use asterisks for emphasis instead of underscores (markdown convention).

Line 524 uses underscores for italics, which is inconsistent with markdown best practices. Change:

-_End of documentation._
+*End of documentation.*

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1b461fb and 217e619.

📒 Files selected for processing (2)

• aws-infra/README.md (1 hunks)
• aws-infra/policies/iam_elastic_beanstalk_policy.json (1 hunks)

🧰 Additional context used

🪛 Biome (2.1.2)

aws-infra/policies/iam_elastic_beanstalk_policy.json

[error] 1-1: Expected an array, an object, or a literal but instead found the end of the file.

Expected an array, an object, or a literal here.

(parse)

🪛 LanguageTool

aws-infra/README.md

[style] ~43-~43: To form a complete sentence, be sure to include a subject.
Context: ...velopment/testing to reduce cost). - Can be upgraded later to a load-balanced en...

(MISSING_IT_THERE)

---

[style] ~58-~58: This phrase is redundant. Consider writing “created”.
Context: ... outbound egress security group *(originally created for App Runner, now reused for EB netwo...

(ORIGINALLY_CREATED)

---

[style] ~255-~255: This adverb was used twice in the sentence. Consider removing one of them or replacing them with a synonym.
Context: ...c buckets - Restricting ECR access to only required repositories - Minimizing Cl...

(ADVERB_REPETITION_PREMIUM)

---

[style] ~339-~339: This adverb was used twice in the sentence. Consider removing one of them or replacing them with a synonym.
Context: ...uccessfully - Celery Beat schedules run successfully - Flower UI loads on port 5555 (if secu...

(ADVERB_REPETITION_PREMIUM)

🪛 markdownlint-cli2 (0.18.1)

aws-infra/README.md

343-343: Blank line inside blockquote

(MD028, no-blanks-blockquote)

---

351-351: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

362-362: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

396-396: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

411-411: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

425-425: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

524-524: Emphasis style
Expected: asterisk; Actual: underscore

(MD049, emphasis-style)

---

524-524: Emphasis style
Expected: asterisk; Actual: underscore

(MD049, emphasis-style)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Redirect rules
• GitHub Check: Header rules
• GitHub Check: Pages changed

🔇 Additional comments (3)

aws-infra/README.md (3)

307-321: Approve: Comprehensive responses to past review feedback.

The developer has thoroughly addressed all prior review comments:

• ✓ Added version strategy guidance (lines 307–321) in response to version numbering questions
• ✓ Included detailed validation methodology (lines 344–435) explaining how each deployment step is confirmed
• ✓ Clarified Redis TLS fix location (lines 450–471) explaining the role of .ebextensions/00_setup.config

These additions significantly improve clarity for maintainers and contributors.

Also applies to: 344-435, 450-471

---

1-524: Overall Assessment: Comprehensive documentation with strong team feedback integration.

This README provides excellent coverage of the AWS Elastic Beanstalk deployment architecture, infrastructure components, deployment workflow, and troubleshooting guidance. The structure progressively builds from high-level overview → detailed configuration → practical deployment steps → validation methodology → common issues.

Strengths:

• Clear, logical section flow suitable for onboarding maintainers and contributors
• Detailed validation section with concrete examples (curl, eb logs) helps teams confirm successful deployments
• IAM and networking sections properly document current state and acknowledge least-privilege future improvements
• All four prior review comments from the team have been thoughtfully incorporated

Resolution needed before merge:

• Resolve the port inconsistency identified in the earlier comment (5000 vs 8000).

Optional polish items:

• Apply the markdown and style fixes noted in the separate comments above for professional consistency.

---

87-96: Verify port inconsistency claim: Django container port mapping (lines 91 vs. 376).

The review identifies a discrepancy stating line 91 mentions Django listening on port 5000 (exposed as 80), while line 376 states port 8000. Unable to access the repository to independently verify these specific line references and claims. Please confirm:

• Actual port number configured in the Django container
• Whether both references in the document match the actual configuration
• Update the documentation to reflect the correct port mapping if inconsistency exists

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

File is empty and contains no valid JSON policy content.

The IAM policy file is currently empty and fails JSON validation. A valid Elastic Beanstalk IAM policy should follow the structure with "Version" and "Statement" keys, but this file contains none.

Since the PR adds comprehensive AWS infrastructure documentation, this policy file is critical infrastructure-as-code. An empty file cannot be used for actual deployment and contradicts the PR's intent.

Do you want me to generate a starter IAM policy tailored to the Antenna Elastic Beanstalk deployment? Based on the PR objectives mentioning an ECS-based multi-container setup with RDS and ElastiCache, I can provide a policy that aligns with those resources. Please clarify:

1. Intended scope: Is this policy for the EC2 instance role (what EB instances assume) or for deployment/CI-CD users?
2. Least-privilege requirement: Should the policy follow least-privilege with scoped resources, or use broader wildcards for initial setup?
3. Additional integrations: Does it need permissions for ECR, RDS, ElastiCache, CloudWatch, or other services mentioned in the infrastructure guide?

🧰 Tools

🪛 Biome (2.1.2)

[error] 1-1: Expected an array, an object, or a literal but instead found the end of the file.

Expected an array, an object, or a literal here.

(parse)

🤖 Prompt for AI Agents

In aws-infra/policies/iam_elastic_beanstalk_policy.json around line 1, the file
is empty and must be replaced with a valid IAM policy JSON (including "Version"
and "Statement"). Fix by creating a proper JSON policy for the intended role:
decide whether this is an EC2/Elastic Beanstalk instance profile or a
CI/CD/deployer role, pick least-privilege vs wildcard scope, and either (A)
reference AWS-managed Elastic Beanstalk policies (e.g.,
AWSElasticBeanstalkWebTier/WorkerTier plus any needed service policies like
AmazonEC2ContainerRegistryReadOnly, CloudWatchLogsFullAccess, or scoped
RDS/ElastiCache permissions) or (B) author a custom policy JSON with a Version
and Statements granting only the required actions (S3 get/put for deployments,
ecs/ecr describe/pull if ECS tasks used, logs:CreateLogStream/PutLogEvents,
ec2/autoscaling describe and tagging, and scoped RDS/ElastiCache access if
needed). Ensure the final file is valid JSON and add comments in PR describing
scope and resource ARNs used for least-privilege.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

aws-infra/README.md (4)

43-44: Fix incomplete sentence; add subject to line 44.

Line 44 is missing a subject: "Can be upgraded later..." → who/what can be upgraded? Likely should be "It can be upgraded later..." or "The environment can be upgraded later..."

- Deployment bundle includes:
-   - `Dockerrun.aws.json` 
-   - `.ebextensions/00_setup.config`
- Environment type:
-   - Single-instance environment (used for development/testing to reduce cost). 
-   - Can be upgraded later to a load-balanced environment for production.
+ Deployment bundle includes:
+   - `Dockerrun.aws.json` 
+   - `.ebextensions/00_setup.config`
+ Environment type:
+   - Single-instance environment (used for development/testing to reduce cost). 
+   - It can be upgraded later to a load-balanced environment for production.

---

56-60: Remove redundant phrase on line 59; simplify "originally created" to "created".

The phrase "originally created" is redundant in context; "created" alone is sufficient.

-  - EB-managed instance security group (default inbound + outbound rules)
-  - Additional outbound egress security group  
-    *(originally created for App Runner, now reused for EB networking)*
+  - EB-managed instance security group (default inbound + outbound rules)
+  - Additional outbound egress security group  
+    *(created for App Runner, now reused for EB networking)*

---

357-451: Fix markdown issues in deployment workflow section: add language specs to code blocks and remove blank line in blockquote.

The extensive blockquote section containing validation instructions has several markdown linting violations:

1. Line 358: Blank line inside blockquote (should have no blank lines within blockquote)
2. Lines 366, 377, 411, 426, 440: Fenced code blocks missing language specifications (should be ```bash, ```json, etc.)

Additionally, line 354 uses the adverb "successfully" twice in consecutive bullet points ("connects to Redis successfully" and "schedules run successfully"), which is redundant. Consider replacing one with a synonym or restructuring.

Apply these fixes:

  ### Step 5 — Validate Deployment
  
  - `/api/v2/` returns `200`
  - Django container remains healthy
- - Celery worker connects to Redis successfully
- - Celery Beat schedules run successfully
+ - Celery worker connects to Redis without errors
+ - Celery Beat schedules tasks as expected
  - Flower UI loads on port 5555 (if security groups permit)
  
->
> ### How to Validate this deployment?
  > The points listed above describe the expected state of a successful AWS deployment.  
  >
  > ---
  >
  > ### 1. Confirming that `/api/v2/` returns a successful response
  > When you open:
- > ```
+ > ```bash
  > https://<EB-URL>/api/v2/
  > ```
  > the browser shows the JSON content returned by Django.  
  > This means that simply opening the URL visually confirms "the API is working," but not the status code.
  >
  > To check the actual HTTP status code, use:
- > ```bash
+ > ```bash
  > curl -I https://<EB-URL>/api/v2/
  > ```
  > This command returns the HTTP headers. A successful response looks like:
- > ```
+ > ```
  > HTTP/1.1 200 OK
  > ```

For all missing language specs, add the appropriate language identifier after the opening backticks: ```bash, ```json, etc.

---

539-539: Fix markdown emphasis style on final line.

Line 539 uses underscore emphasis (_End of documentation._) instead of the consistent asterisk style used throughout the document. Change to *End of documentation.* for markdown consistency.

-_End of documentation._
+*End of documentation.*

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 217e619 and 87c8b92.

📒 Files selected for processing (1)

• aws-infra/README.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

aws-infra/README.md

[style] ~44-~44: To form a complete sentence, be sure to include a subject.
Context: ...velopment/testing to reduce cost). - Can be upgraded later to a load-balanced en...

(MISSING_IT_THERE)

---

[style] ~59-~59: This phrase is redundant. Consider writing “created”.
Context: ... outbound egress security group *(originally created for App Runner, now reused for EB netwo...

(ORIGINALLY_CREATED)

---

[style] ~270-~270: This adverb was used twice in the sentence. Consider removing one of them or replacing them with a synonym.
Context: ...c buckets - Restricting ECR access to only required repositories - Minimizing Cl...

(ADVERB_REPETITION_PREMIUM)

---

[style] ~354-~354: This adverb was used twice in the sentence. Consider removing one of them or replacing them with a synonym.
Context: ...uccessfully - Celery Beat schedules run successfully - Flower UI loads on port 5555 (if secu...

(ADVERB_REPETITION_PREMIUM)

🪛 markdownlint-cli2 (0.18.1)

aws-infra/README.md

358-358: Blank line inside blockquote

(MD028, no-blanks-blockquote)

---

366-366: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

377-377: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

411-411: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

426-426: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

440-440: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

539-539: Emphasis style
Expected: asterisk; Actual: underscore

(MD049, emphasis-style)

---

539-539: Emphasis style
Expected: asterisk; Actual: underscore

(MD049, emphasis-style)

🔇 Additional comments (3)

aws-infra/README.md (3)

505-535: Comprehensive future improvements roadmap is well-prioritized.

The list of recommended enhancements covers critical areas (Secrets Manager, RDS/Redis hardening, IAM least-privilege, CI/CD) and scalability improvements. This aligns well with the earlier acknowledgment in section 5.4 about using broad EB-managed policies as a temporary baseline. Consider adding a priority or phasing note (e.g., "Phase 1: Critical for production" vs. "Phase 2: Scalability enhancements") to help maintainers prioritize implementation order.

---

229-275: Verify that aws-infra/policies/iam_elastic_beanstalk_policy.json contains an example or template.

Section 5.4 documents IAM roles comprehensively and notes "least privilege" recommendations for future hardening. The policy file should include either a concrete, sanitized example of the current EB-managed policy configuration, or a template showing the recommended least-privilege hardened version. If currently empty, maintainers lack a concrete reference artifact to implement or review.

---

26-31: Include sanitized example versions of the three deployment configuration files referenced in this section.

Past review comments requested adding example versions of .ebextensions/00_setup.config, Dockerrun.aws.json, and .ebignore with sensitive parts sanitized. Maintainers need concrete, runnable templates for these critical deployment files to understand the expected configuration structure.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (9)

aws-infra/README.md (9)

44-44: Clarify incomplete sentence about load-balanced environment upgrade.

Line 44 lacks a subject: "Can be upgraded later to a load-balanced environment for production" reads incomplete. Suggest revising to: "The environment can be upgraded later to a load-balanced configuration for production."

---

59-59: Simplify redundant phrase in security group description.

The phrase "originally created for App Runner, now reused" is redundant. Consider simplifying to: "An outbound-only egress security group (reused from prior App Runner setup)."

---

188-188: Fix emphasis marker formatting on line 188.

Markdown linter flags spaces inside emphasis markers. Line 188 reads ** Inbound:** with an extra space after the opening **. Remove the space to comply with markdown formatting.

---

276-276: Remove redundant adverb in IAM least-privilege section.

The adverb "only" is used twice in this sentence: "Restricting S3 access to only specific buckets…Restricting ECR access to only required repositories." Consider removing the second instance or replacing with a synonym like "necessary" for clarity.

---

365-365: Strengthen the adjective describing CloudFront logging enhancement.

The phrase "if deeper monitoring is needed" uses a weak comparative adjective. Consider replacing with: "if comprehensive monitoring is needed" or "if detailed access logs are required."

---

429-429: Remove redundant adverb in validation checklist.

The adverb "successfully" appears twice in quick succession: "Celery worker connects to Redis successfully…Celery Beat schedules run successfully." Consider rewording the second instance to: "Celery Beat schedules are dispatched without errors."

---

433-433: Remove blank line inside blockquote on line 433.

Markdown linter flags a blank line inside the blockquote block starting at line 433. Remove the blank line between the > markers to maintain proper blockquote formatting.

---

441-451: Add language specifiers to all fenced code blocks.

Several fenced code blocks lack language identifiers, which markdown linters expect:

• Line 441: ``` → ```bash
• Line 452: ``` → ```bash
• Line 486: ``` → ```text (or omit if showing plaintext output)
• Line 501: ``` → ```text
• Line 515: ```http or ```text (HTTP request)

Adding language tags improves syntax highlighting and follows markdown best practices.

Also applies to: 452-462, 486-495, 501-510, 515-523

---

614-614: Update emphasis style to match markdown linter expectations.

Markdown linter flags underscore emphasis (_End of documentation._) on line 614. Replace with asterisks to comply with style guide: *End of documentation.*

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 87c8b92 and 2e41a6d.

📒 Files selected for processing (1)

• aws-infra/README.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

aws-infra/README.md

[style] ~44-~44: To form a complete sentence, be sure to include a subject.
Context: ...velopment/testing to reduce cost). - Can be upgraded later to a load-balanced en...

(MISSING_IT_THERE)

---

[style] ~59-~59: This phrase is redundant. Consider writing “created”.
Context: ... outbound egress security group *(originally created for App Runner, now reused for EB netwo...

(ORIGINALLY_CREATED)

---

[style] ~276-~276: This adverb was used twice in the sentence. Consider removing one of them or replacing them with a synonym.
Context: ...c buckets - Restricting ECR access to only required repositories - Minimizing Cl...

(ADVERB_REPETITION_PREMIUM)

---

[style] ~365-~365: Consider a different adjective to strengthen your wording.
Context: ...Disabled** (Can be enabled later if deeper monitoring is needed) --- ## 6. .ebe...

(DEEP_PROFOUND)

---

[style] ~429-~429: This adverb was used twice in the sentence. Consider removing one of them or replacing them with a synonym.
Context: ...uccessfully - Celery Beat schedules run successfully - Flower UI loads on port 5555 (if secu...

(ADVERB_REPETITION_PREMIUM)

🪛 markdownlint-cli2 (0.18.1)

aws-infra/README.md

188-188: Spaces inside emphasis markers

(MD037, no-space-in-emphasis)

---

433-433: Blank line inside blockquote

(MD028, no-blanks-blockquote)

---

441-441: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

452-452: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

486-486: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

501-501: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

515-515: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

614-614: Emphasis style
Expected: asterisk; Actual: underscore

(MD049, emphasis-style)

---

614-614: Emphasis style
Expected: asterisk; Actual: underscore

(MD049, emphasis-style)

🔇 Additional comments (5)

aws-infra/README.md (5)

185-185: RDS public accessibility security issue resolved.

Good news: RDS public accessibility is now disabled, which addresses the prior critical security gap flagged in previous reviews. The private subnet configuration and restricted security group (inbound only from EB SG) are properly in place.

---

398-411: Version numbering guidance clearly documented.

The explanation of container versioning (lines 398–411) directly addresses prior feedback requesting clarity on how to choose version tags. This addition is helpful and well-integrated into the deployment workflow.

---

434-526: Detailed validation section comprehensively addresses prior feedback.

The "How to Validate this deployment?" section (lines 434–526) provides clear step-by-step validation instructions with concrete examples (curl commands, log snippets, UI access). This directly addresses the prior reviewer question "how?" and significantly improves usability of the guide.

---

540-561: Redis TLS configuration location clearly explained.

The dedicated subsection explaining where the Redis TLS fix is applied (lines 540–561) directly addresses prior feedback asking "where would I fix this?" The explanation of .ebextensions/00_setup.config as the source and how EB forwards values to containers is clear and actionable.

---

26-31: Verify that example configuration files are present or planned.

A prior reviewer requested "example versions of these files" (section 2, configuration files) with the response that "sanitized minimal example versions" would be uploaded. The current documentation references these files (.ebextensions/00_setup.config, Dockerrun.aws.json, .ebignore) but no example snippets or separate example directory is visible in this PR.

Please confirm:

1. Are sanitized example versions of these configuration files included elsewhere in the PR (e.g., under aws-infra/examples/)?
2. If not yet added, should this be tracked as a follow-up task, or should examples be added before merging this PR?

[coderabbitai]

Actionable comments posted: 4

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2e41a6d and 68b8002.

⛔ Files ignored due to path filters (1)

• aws-infra/images/aws-architecture.png is excluded by !**/*.png

📒 Files selected for processing (1)

• aws-infra/README.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

aws-infra/README.md

[style] ~49-~49: To form a complete sentence, be sure to include a subject.
Context: ...velopment/testing to reduce cost). - Can be upgraded later to a load-balanced en...

(MISSING_IT_THERE)

---

[style] ~280-~280: This adverb was used twice in the sentence. Consider removing one of them or replacing them with a synonym.
Context: ...c buckets - Restricting ECR access to only required repositories - Minimizing Cl...

(ADVERB_REPETITION_PREMIUM)

---

[style] ~369-~369: Consider a different adjective to strengthen your wording.
Context: ...Disabled** (Can be enabled later if deeper monitoring is needed) --- ## 6. .ebe...

(DEEP_PROFOUND)

---

[style] ~433-~433: This adverb was used twice in the sentence. Consider removing one of them or replacing them with a synonym.
Context: ...uccessfully - Celery Beat schedules run successfully - Flower UI loads on port 5555 (if secu...

(ADVERB_REPETITION_PREMIUM)

🪛 markdownlint-cli2 (0.18.1)

aws-infra/README.md

192-192: Spaces inside emphasis markers

(MD037, no-space-in-emphasis)

---

437-437: Blank line inside blockquote

(MD028, no-blanks-blockquote)

---

445-445: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

456-456: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

490-490: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

505-505: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

519-519: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

615-615: Emphasis style
Expected: asterisk; Actual: underscore

(MD049, emphasis-style)

---

615-615: Emphasis style
Expected: asterisk; Actual: underscore

(MD049, emphasis-style)

🔇 Additional comments (5)

aws-infra/README.md (5)

92-176: Well-organized container and environment variable documentation.

The Docker container descriptions and environment variable taxonomy are clear, well-categorized, and easy to navigate. This will help maintainers understand the deployment model and required configuration.

---

178-302: RDS security concern is properly addressed.

The RDS configuration correctly specifies public accessibility as Disabled (line 189) with restrictive inbound rules from only the EB security group. This resolves the prior concern. The overall infrastructure documentation is comprehensive, with RDS and Redis properly isolated in private subnets and secured via security group rules. The IAM section appropriately documents the use of broad managed policies for initial deployment while recommending least-privilege refinement as a future hardening step.

---

305-371: CloudFront architecture is well-documented and secure.

The distribution strategy (S3 for static files, EB for /api/* routes), origin access control, and security posture are clearly explained. The HTTPS enforcement and S3 bucket protection via OAC demonstrate good security practices.

---

387-427: Deployment workflow is clear and actionable.

The five-step deployment process with Docker image versioning guidance is well-structured and includes helpful notes about semantic versioning choices. This makes it easy for contributors to follow a consistent versioning scheme.

---

532-582: Troubleshooting section thoroughly addresses common deployment issues.

The Redis TLS configuration and EB health check sections provide clear fixes with explanations of how Elastic Beanstalk injects environment variables into containers. This directly addresses prior questions about where to apply fixes and demonstrates good understanding of the deployment mechanics.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix fragment sentence.

This line lacks a subject. Restructure to: "This environment can be upgraded later to a load-balanced environment for production."

🧰 Tools

🪛 LanguageTool

[style] ~49-~49: To form a complete sentence, be sure to include a subject.
Context: ...velopment/testing to reduce cost). - Can be upgraded later to a load-balanced en...

(MISSING_IT_THERE)

🤖 Prompt for AI Agents

In aws-infra/README.md around line 49, the sentence "Can be upgraded later to a
load-balanced environment for production." is a fragment without a subject;
replace it with a full sentence such as "This environment can be upgraded later
to a load-balanced environment for production." to fix grammar and clarity.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Future improvements are well-prioritized and realistic.

The roadmap appropriately covers security hardening (Secrets Manager, IAM least-privilege), reliability enhancements (Multi-AZ, health monitoring), and operational maturity (CI/CD, staging). However, fix the emphasis style on line 615: change _End of documentation._ to *End of documentation.* to match the file's asterisk emphasis convention (MD049).

-_End of documentation._
+*End of documentation.*

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	## 9. Future Improvements
	To harden the deployment and move toward a production-grade architecture, the following enhancements are recommended:
	- **Move secrets to AWS Secrets Manager**
	Centralize all sensitive variables (DB password, Redis URL, Django secret key, Sentry key, SendGrid, etc.) and replace `.ebextensions` injection with runtime retrieval.
	- **Enable ElastiCache Multi-AZ + Auto-Failover**
	Improves high availability for Celery and Django caching; eliminates single-node Redis failure risks.
	- **IAM hardening and least-privilege review**
	Replace broad EB-managed policies with reduced IAM policies scoped only to required S3, ECR, CloudWatch, and ECS resources.
	- **Add CI/CD pipeline (GitHub Actions -> ECR -> EB)**
	Automate build, tag, push of images and deployments to Elastic Beanstalk for consistent, reproducible releases.
	- **Add staging environment**
	Separate EB environment (staging) for testing migrations, image builds, and infrastructure changes before production.
	- **Migrate to load-balanced EB environment (optional)**
	Enables rolling deployments, zero-downtime updates, and better scalability.
	- **Enable RDS Multi-AZ + automated backups**
	Ensures database failover and improves disaster recovery readiness.
	- **Add health checks for Celery worker & beat**
	Custom EB or CloudWatch alarms to alert on worker failures, broker connectivity issues, or long task queues.
	---
	_End of documentation._
	## 9. Future Improvements
	To harden the deployment and move toward a production-grade architecture, the following enhancements are recommended:
	- **Move secrets to AWS Secrets Manager**
	Centralize all sensitive variables (DB password, Redis URL, Django secret key, Sentry key, SendGrid, etc.) and replace `.ebextensions` injection with runtime retrieval.
	- **Enable ElastiCache Multi-AZ + Auto-Failover**
	Improves high availability for Celery and Django caching; eliminates single-node Redis failure risks.
	- **IAM hardening and least-privilege review**
	Replace broad EB-managed policies with reduced IAM policies scoped only to required S3, ECR, CloudWatch, and ECS resources.
	- **Add CI/CD pipeline (GitHub Actions -> ECR -> EB)**
	Automate build, tag, push of images and deployments to Elastic Beanstalk for consistent, reproducible releases.
	- **Add staging environment**
	Separate EB environment (staging) for testing migrations, image builds, and infrastructure changes before production.
	- **Migrate to load-balanced EB environment (optional)**
	Enables rolling deployments, zero-downtime updates, and better scalability.
	- **Enable RDS Multi-AZ + automated backups**
	Ensures database failover and improves disaster recovery readiness.
	- **Add health checks for Celery worker & beat**
	Custom EB or CloudWatch alarms to alert on worker failures, broker connectivity issues, or long task queues.
	---
	*End of documentation.*

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

615-615: Emphasis style
Expected: asterisk; Actual: underscore

(MD049, emphasis-style)

---

615-615: Emphasis style
Expected: asterisk; Actual: underscore

(MD049, emphasis-style)

🤖 Prompt for AI Agents

In aws-infra/README.md around lines 583 to 615, the closing emphasis uses
underscores (`_End of documentation._`) which violates the file's asterisk
emphasis convention (MD049); change that line to use asterisks (`*End of
documentation.*`) to match the rest of the document's emphasis style. Ensure
only the delimiter characters are changed and no trailing spaces or other
formatting are altered.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

aws-infra/modifications/storage.py (3)

18-43: Refine USE_AWS detection and annotate intentional MinIO test credentials

The runtime switching logic looks good, but two small tweaks would make it more robust and linter‑friendly:

• USE_AWS currently checks only for attribute presence, not truthiness. This can select the AWS path even when settings are present but empty, leading to partially configured S3.
• The MinIO minioadmin credentials are clearly non‑secret test values, but they’ll keep triggering S106 unless annotated.

You could tighten detection and mark the MinIO creds as intentional, e.g.:

-USE_AWS = all([
-    hasattr(settings, "DJANGO_AWS_ACCESS_KEY_ID"),
-    hasattr(settings, "DJANGO_AWS_SECRET_ACCESS_KEY"),
-    hasattr(settings, "DJANGO_AWS_STORAGE_BUCKET_NAME"),
-])
+USE_AWS = all(
+    getattr(settings, attr, None)
+    for attr in (
+        "DJANGO_AWS_ACCESS_KEY_ID",
+        "DJANGO_AWS_SECRET_ACCESS_KEY",
+        "DJANGO_AWS_STORAGE_BUCKET_NAME",
+    )
+)
@@
-    S3_TEST_CONFIG = s3.S3Config(
-        endpoint_url="http://minio:9000",
-        access_key_id="minioadmin",
-        secret_access_key="minioadmin",
+    S3_TEST_CONFIG = s3.S3Config(
+        endpoint_url="http://minio:9000",
+        access_key_id="minioadmin",  # noqa: S106 - local MinIO test credentials
+        secret_access_key="minioadmin",  # noqa: S106 - local MinIO test credentials

This keeps behavior the same in EB while avoiding accidental “AWS mode” when values are blank and silencing the false‑positive secret warning in local/test mode.

---

52-60: Prefix verification: avoid blind Exception and log full traceback

The best‑effort prefix write is a nice safeguard, but the current broad except Exception as e plus string interpolation both hides the traceback and triggers BLE001/TRY400.

If you want to keep this as a non‑fatal catch‑all, consider explicitly documenting that and using logger.exception so failures are debuggable:

-    try:
-        s3.write_file(S3_TEST_CONFIG, placeholder_key, b"")
-        logger.info(f"[S3] Verified prefix exists: {placeholder_key}")
-    except Exception as e:
-        logger.error(f"[S3] Could not verify prefix '{prefix}': {e}")
+    try:
+        s3.write_file(S3_TEST_CONFIG, placeholder_key, b"")
+        logger.info("[S3] Verified prefix exists: %s", placeholder_key)
+    except Exception:  # noqa: BLE001 - non-fatal, best-effort prefix check
+        logger.exception("[S3] Could not verify prefix '%s'", prefix)

Alternatively, if you know the concrete exception types from s3.write_file (e.g., botocore errors), narrowing the except clause to those would also satisfy the linter.

---

80-125: Document populate_bucket behavior when skip_existing=True

The demo uploader is handy, and the “do nothing if anything already exists under subdir” behavior makes sense for one‑shot seeding. However, that behavior (returning [] when data already exists) isn’t obvious from the signature alone.

To make the API clearer to callers, consider adding a short docstring that spells this out:

 def populate_bucket(
@@
-    skip_existing: bool = True,
-) -> list[GeneratedTestFrame]:
-
-    created = []
+    skip_existing: bool = True,
+) -> list[GeneratedTestFrame]:
+    """
+    Populate the given S3 subdir with generated demo frames.
+
+    Returns a list of frames that were newly uploaded. If ``skip_existing`` is
+    True and any objects are already present under ``subdir``, the function
+    logs and returns an empty list without uploading anything.
+    """
+
+    created: list[GeneratedTestFrame] = []

That should prevent surprises for callers who might otherwise interpret [] as “no frames generated” rather than “bucket already seeded.”

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9803c04 and 35fb523.

📒 Files selected for processing (1)

• aws-infra/modifications/storage.py (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

aws-infra/modifications/storage.py (3)

ami/main/models.py (1)

• S3StorageSource (1390-1488)

ami/tests/fixtures/images.py (2)

• GeneratedTestFrame (130-138)
• generate_moth_series (141-239)

ami/utils/s3.py (2)

• S3Config (34-48)
• write_file (553-559)

🪛 Ruff (0.14.8)

aws-infra/modifications/storage.py

39-39: Possible hardcoded password assigned to argument: "secret_access_key"

(S106)

---

58-58: Do not catch blind exception: Exception

(BLE001)

---

59-59: Use logging.exception instead of logging.error

Replace with exception

(TRY400)

[carlosgjs]

just some minor comments, thx!

[carlosgjs]

Can you add a note that AWS deployment is experimental and not supported at this time?

[bhagyashreewagh]

Done!

[carlosgjs]

Can you add a comment about the purpose of this module and when/where the two functions run?

[bhagyashreewagh]

Done!

[carlosgjs]

I would add moving the secrets into AWS Secrets manager so that they don't have to be set in plain text in the config files

[bhagyashreewagh]

Yes I already mentioned it

[netlify]

👷 Deploy request for antenna-ssec pending review.

Visit the deploys page to approve it

Name	Link
🔨 Latest commit	671d254