Skip to content
Dispatch Docs

AWS Infrastructure Map

Last verified: 2026-03-09
Region: us-east-2
Account: 405834051536

High-Level Architecture

Section titled “High-Level Architecture”
flowchart TB
  subgraph Internet["Internet + DNS + Email"]
    Users["Users / CLI / Web"]
    DNS["Route53: api.dispatchjoin.com"]
    SES["SES Inbound\nRule set: dispatch-inbound"]
  end


  subgraph AWS["AWS us-east-2"]
    ALB["ALB: dispatch-prod-api\n:80 redirect -> :443\n:443 forward -> target group :8080"]
    ECR["ECR: dispatch"]
    SSM["SSM Parameter Store\n/dispatch/prod/*"]
    CW["CloudWatch Logs + Alarms"]
    OpsSNS["SNS: dispatch-prod-ops-alerts"]


    subgraph VPC["VPC 10.42.0.0/16"]
      subgraph PublicSubnets["Public subnets (2 AZ)"]
        API["ECS service: dispatch-api-prod\nTask def: dispatch-api-prod:21"]
        Worker["ECS service: dispatch-worker-prod\nTask def: dispatch-worker-prod:20"]
      end
      subgraph PrivateSubnets["DB subnets (2 AZ, private)"]
        RDS["RDS Postgres: dispatch-prod-postgres"]
      end
    end


    InboundBucket["S3: dispatch-prod-...-inbound-raw"]
    InboundQ["SQS: dispatch-prod-inbound-jobs"]
    InboundDLQ["SQS DLQ: dispatch-prod-inbound-jobs-dlq"]
    InboundSNS["SNS: dispatch-prod-inbound"]
    DebugQ["SQS: dispatch-prod-inbound-debug"]
  end


  subgraph CI["GitHub Actions"]
    Deploy["deploy-api.yml"]
    TF["terraform.yml"]
  end


  Users --> DNS --> ALB --> API
  API <--> RDS
  Worker <--> RDS
  API --> SSM
  Worker --> SSM


  SES --> InboundBucket
  InboundBucket -->|"S3 ObjectCreated inbound/*"| InboundQ
  InboundQ -->|"long-poll + process"| Worker
  InboundQ -->|"redrive after retries"| InboundDLQ


  InboundSNS -->|"HTTPS /v1/webhooks/aws/sns"| API
  InboundSNS --> DebugQ


  ALB --> CW
  API --> CW
  Worker --> CW
  RDS --> CW
  InboundQ --> CW
  InboundDLQ --> CW
  CW --> OpsSNS


  Deploy --> ECR
  Deploy --> API
  Deploy --> Worker
  Deploy -->|"one-shot migration task"| RDS
  TF --> AWS

Primary Runtime Flows

Section titled “Primary Runtime Flows”

API Request Flow

Section titled “API Request Flow”
  1. Client resolves api.dispatchjoin.com in Route53.
  2. Traffic goes to ALB.
  3. ALB forwards to ECS API task on port 8080.
  4. API reads/writes Postgres and reads secrets/config from SSM.

Inbound Email Flow (Current Primary Path)

Section titled “Inbound Email Flow (Current Primary Path)”
  1. SES inbound receipt rule stores raw email in S3 (inbound/ prefix).
  2. S3 ObjectCreated event sends message to SQS inbound queue.
  3. ECS worker long-polls SQS and processes message.
  4. Worker fetches MIME payload from S3, parses, ingests to Postgres.
  5. Worker deletes SQS message on success.
  6. Failed messages eventually redrive to DLQ after max receive count.

Resource Inventory (Live)

Section titled “Resource Inventory (Live)”
  • VPC: vpc-025af4acb421394d4 (10.42.0.0/16)
  • Public subnet us-east-2a: subnet-07ed83b0b40d35fa2
  • Public subnet us-east-2b: subnet-08554ab6af5ad1dc7
  • DB subnet us-east-2a: subnet-012fb16b8afba0236
  • DB subnet us-east-2b: subnet-0904035192e675d98
  • ALB SG: sg-01cd546a8b8ca7ed5 (ingress 80/443 from 0.0.0.0/0)
  • ECS SG: sg-00282a825d4059389 (ingress 8080 from ALB SG)
  • DB SG: sg-0589f30424e16e8b1 (ingress 5432 from ECS SG)
  • ECS service dispatch-api-prod: desired/running 1/1
  • ECS service dispatch-worker-prod: desired/running 1/1
  • RDS: dispatch-prod-postgres (db.t4g.micro, available)
  • Inbound queue: dispatch-prod-inbound-jobs (DLQ configured, maxReceiveCount 6)
  • Inbound DLQ: dispatch-prod-inbound-jobs-dlq
  • Inbound SNS topic: dispatch-prod-inbound
  • Ops alerts topic: dispatch-prod-ops-alerts

Current State Gaps and Recommendations

Section titled “Current State Gaps and Recommendations”

Fix Now (High Priority)

Section titled “Fix Now (High Priority)”
  1. WAF not attached to ALB.
  • Why: Public API has no managed edge filtering/rate controls despite WAF Terraform resources existing.
  • Action: apply Terraform to ensure Web ACL exists and association is active.
  1. Ops alerts SNS topic has no subscriptions.
  • Why: alarms can trigger but nobody receives notifications.
  • Action: configure alarm_notification_email and/or alarm_notification_https_endpoint, then apply.

Fix Soon (Medium Priority)

Section titled “Fix Soon (Medium Priority)”
  1. dispatch-prod-inbound-debug SQS queue is subscribed to inbound SNS topic in production.
  • Why: extra prod data fan-out that is not part of core path.
  • Action: remove subscription if not actively used, or isolate under explicit debug workflow.
  1. API and worker run in public subnets with public IPs.
  • Why: lower cost and simpler egress, but larger exposure surface than private-subnet ECS.
  • Action: keep for now if cost-sensitive; move ECS to private subnets with controlled egress when tightening security posture.

Keep / Clarify

Section titled “Keep / Clarify”
  1. SNS inbound topic still exists and API webhook subscription remains.
  • Reason: still used for outbound SES event notifications and SNS subscription handshake flow.
  • Improvement: split naming (ses-events vs inbound) to reduce confusion.