Skip to content

AWS Accounts

CWIQ uses two AWS accounts with strict separation of purpose. Every AWS CLI command and every Terraform operation must explicitly specify the correct account profile.

Account Reference

Account Account ID CLI Profile Purpose VPC CIDR
shared-services 308188966547 shared-services GitLab, Vault, Nexus, Authentik, Observability stack, Route53 zones 10.0.0.0/16
dev 686123185567 dev Orchestrator platform, EKS cluster, CI/CD runners 10.1.0.0/16

Never use the default AWS profile

The default AWS profile (921838417607) is the management/root account. It contains orphaned duplicate Route53 zones and other resources left over from early infrastructure setup. Running any AWS CLI command or Terraform operation without an explicit --profile flag will silently target the wrong account. ALWAYS pass --profile shared-services or --profile dev.

Account Responsibilities

shared-services (308188966547)

Everything that is shared across all environments lives here:

  • GitLab CE (gitlab.shared.cwiq.io)
  • HashiCorp Vault (vault.shared.cwiq.io)
  • Nexus artifact repository (nexus.shared.cwiq.io)
  • Authentik SSO (auth.shared.cwiq.io)
  • Grafana, Loki, Prometheus observability stack
  • SonarQube (sonarqube.shared.cwiq.io)
  • DefectDojo (defectdojo.shared.cwiq.io)
  • Route53 hosted zones: shared.cwiq.io, dev.cwiq.io
  • Terraform state S3 bucket (cwiq-terraform-states) — used by all environments

dev (686123185567)

The development environment for the orchestrator platform:

  • Dev orchestrator server (orchestrator.dev.cwiq.io)
  • EKS Kubernetes cluster (cwiq-dev-eks-cluster) — CI/CD runners
  • LangFuse server (langfuse.dev.cwiq.io)
  • Demo orchestrator server (orchestrator.demo.cwiq.io)

VPC Connectivity

flowchart LR
    subgraph shared["shared-services VPC\n10.0.0.0/16"]
        GL[GitLab\n10.0.x.x]
        VT[Vault\n10.0.x.x]
        OBS[Observability\n10.0.15.x]
    end
    subgraph dev["dev VPC\n10.1.0.0/16"]
        ORCH[Orchestrator\n10.1.35.x]
        EKS[EKS Runners\n10.1.34-35.x]
    end
    shared <-->|VPC Peering\npcx-0535aabbb2629e915| dev

VPC peering (pcx-0535aabbb2629e915) connects the two VPCs bidirectionally. Traffic between them uses private IPs and does not traverse the public internet.

Key cross-VPC flows:

Source Destination Purpose
EKS runner pods (10.1.x.x) Dev server (10.1.35.46) SSH deploy from CI/CD pipelines
EKS runner pods (10.1.x.x) GitLab (10.0.x.x) CI/CD job coordination
Dev server Observability stack (10.0.15.x) Log and metric forwarding via Tailscale
Any server Nexus (10.0.x.x) Artifact pull during builds and deploys

EKS pods and Tailscale

EKS runner pods use VPC CNI and are assigned VPC IPs (10.1.34.0/24, 10.1.35.0/24). Tailscale is not available inside pods. CI/CD deploy-dev jobs must use the VPC private IP of the target server, not Tailscale hostnames.

DNS and Route53

Both shared.cwiq.io and dev.cwiq.io hosted zones live in the shared-services account (308188966547). The management account (921838417607) contains orphaned duplicate zones — never modify those.

All DNS changes go through Terraform in terraform-plan/:

# Always verify you are in the correct account before touching Route53
aws sts get-caller-identity --profile shared-services
# Expected: Account = 308188966547

# List hosted zones
aws route53 list-hosted-zones --profile shared-services

Infrastructure as Code

All AWS resource creation and modification must go through Terraform. Never create or modify resources in the AWS Console.

Change Type Tool Repository
AWS resources (VPC, EC2, IAM, S3) Terraform terraform-plan/
DNS records (Route53) Terraform terraform-plan/
Network config (VPC, subnets, security groups) Terraform terraform-plan/
Tailscale ACLs Terraform (Tailscale provider) terraform-plan/
Server configuration Ansible ansible-playbooks/

See Terraform Operations for the module-level workflow and required variables.