​

Infrastructure Architecture

​

Infrastructure Diagram

​

Infrastructure Overview

​

Technology Stack

• Infrastructure as Code using TypeScript
• Serverless-first architecture
• Multi-stage deployment support
• AWS resource provisioning and management

• Region: ap-southeast-1 (Singapore)
• Architecture: ARM64 for cost optimization
• Runtime: Node.js 22.x for latest performance features

• Global DNS resolution
• DDoS protection and security features
• SSL/TLS certificate management
• Performance optimization

​

Stage Management

​

Stage Types

• Production (prod): Live user-facing environment
• Staging (staging): Pre-production testing environment
• Development (dev): Development and testing environment

• Pull Request Stages (pr-*): Temporary environments for feature testing
• Feature Branches: Individual developer environments

​

Domain Strategy

​

Permanent Stages

• Production: sgcarstrends.com (apex domain for SEO optimization)
• Staging: staging.sgcarstrends.com
• Development: dev.sgcarstrends.com

• Production: api.sgcarstrends.com
• Staging: api.staging.sgcarstrends.com
• Development: api.dev.sgcarstrends.com

​

Ephemeral Stages

• Web: {stage-name}.sgcarstrends.com
• API: api-{stage-name}.sgcarstrends.com

• PR #123: pr-123.sgcarstrends.com and api-pr-123.sgcarstrends.com
• Feature branch: feature-auth.sgcarstrends.com

​

Stage Configuration

• Production: Protected from accidental deletion
• Staging: Retained for stability
• Ephemeral: Automatically cleaned up after use

// Production: Strict origin policy
{
  allowOrigins: ["https://sgcarstrends.com"],
  maxAge: "1 day"
}

// Staging/Development: Open for testing
{
  allowOrigins: ["*"]
}

​

AWS Infrastructure Components

​

Compute Layer

​

API Service Lambda Function

• Architecture: ARM64 (cost-optimized)
• Runtime: Node.js 22.x
• Timeout: 120 seconds (for long-running workflows)
• Memory: Optimized based on usage patterns
• Handler: apps/api/src/index.handler

• Core: STAGE, DATABASE_URL, SG_CARS_TRENDS_API_TOKEN
• AI Integration: GEMINI_API_KEY
• Workflow: QSTASH_TOKEN, QSTASH_*_SIGNING_KEY
• Caching: UPSTASH_REDIS_REST_URL, UPSTASH_REDIS_REST_TOKEN
• Social Media: Platform-specific credentials and webhook URLs

​

Web Application Lambda Functions

• Architecture: ARM64
• Runtime: Node.js 22.x
• Warm Instances: 1 (to reduce cold starts)
• Framework: Next.js 15 with App Router

• CloudFront Distribution: Global CDN for static content
• S3 Integration: Automatic asset deployment
• Caching: Optimized cache policies for performance

​

Networking Layer

​

CloudFront Distribution

• Edge Locations: Worldwide distribution for low latency
• Cache Policies: Optimized for static assets and API responses
• Security: SSL/TLS termination and DDoS protection
• Compression: Automatic gzip compression

​

API Gateway

• Request Routing: Route API requests to Lambda functions
• Authentication: Integration with Lambda authorizers
• Rate Limiting: Built-in request throttling
• Monitoring: Request/response logging and metrics

​

SST Router

• Domain Management: Single router for all subdomains
• SSL Certificates: Automatic certificate provisioning
• Alias Support: Wildcard subdomain support (*.sgcarstrends.com)
• Redirects: www → apex domain redirects for production

​

DNS and Domain Management

​

Cloudflare DNS

• Global Anycast: Fast DNS resolution worldwide
• DNSSEC: DNS security extensions enabled
• Analytics: DNS query analytics and insights

• DDoS Protection: Automatic attack mitigation
• Bot Management: Intelligent bot detection
• Web Application Firewall: Customizable security rules

​

Domain Configuration

• Automatic Provisioning: SST handles certificate creation
• Wildcard Certificates: *.sgcarstrends.com for subdomains
• Auto-renewal: Managed certificate lifecycle

​

External Service Integration

​

Data Sources

• Authentication: API key-based access
• Data Formats: CSV files in ZIP archives
• Update Frequency: Daily updates for vehicle registration and COE data
• Rate Limits: Respect API quotas and throttling

• Purpose: LLM-powered blog content generation
• Authentication: API key authentication
• Usage: Market analysis and content creation
• Rate Limits: API quota management

​

Message Queue

• Purpose: Serverless workflow orchestration
• Features: Scheduled jobs, retry logic, error handling
• Integration: Direct Lambda function invocation
• Security: Webhook signature verification

​

Databases

​

PostgreSQL Database

• Connection: SSL-encrypted connections
• Backup: Automated backup and point-in-time recovery
• Scaling: Read replicas for scaled read operations
• Monitoring: Performance insights and query analysis

​

Redis Cache (Upstash)

• Purpose: Caching, session storage, workflow state
• Features: REST API for serverless compatibility
• Persistence: Optional data persistence
• Security: TLS encryption and authentication tokens

​

Social Media Integration

• Discord: Webhook-based notifications
• LinkedIn: OAuth-based API access with token refresh
• Telegram: Bot API for channel messaging
• Twitter: API v2 integration with OAuth 1.0a

​

Deployment Architecture

​

Deployment Pipeline

# Deploy to specific stage
sst deploy --stage prod
sst deploy --stage staging
sst deploy --stage dev

# Local development
sst dev --stage local

• Each stage has completely isolated resources
• Environment variables configured per stage
• Independent CloudWatch log groups
• Separate domain configurations

​

Resource Management

• Resources prefixed with stage name
• Consistent naming convention across stages
• Easy identification and management

• ARM64 architecture for 20% cost savings
• Serverless pay-per-use model
• Optimized Lambda memory allocation
• CDN caching to reduce origin requests

​

Monitoring and Observability

​

CloudWatch Integration

• Lambda Logs: Automatic log collection per function
• API Gateway Logs: Request/response logging
• CloudFront Logs: Access logs for CDN analysis
• Custom Metrics: Business logic metrics

• Error Rate Monitoring: Automatic alerts for high error rates
• Performance Monitoring: Slow response time alerts
• Resource Utilization: Memory and timeout alerts

​

Application Monitoring

• API Health: /health endpoint monitoring
• Database Connectivity: Connection health checks
• External Service Health: Dependency monitoring

• Response Times: API endpoint performance
• Cache Hit Rates: Redis cache effectiveness
• Error Rates: Platform-specific error tracking

​

Security Configuration

​

Network Security

• SSL/TLS Termination: At CloudFront edge
• HSTS Headers: Enforce secure connections
• Certificate Management: Automatic provisioning and renewal

• Bearer Token Authentication: API access control
• CORS Policies: Stage-specific cross-origin policies
• Rate Limiting: Configurable request throttling (disabled by default)

​

Environment Security

• Environment Variables: Secure storage of API keys and tokens
• No Hardcoded Secrets: All sensitive data in environment variables
• Stage Isolation: Separate secrets per environment

• IAM Roles: Least-privilege Lambda execution roles
• Resource Policies: Granular access control
• VPC Integration: Optional VPC isolation for enhanced security

​

Disaster Recovery

​

Backup Strategy

• Automated Backups: Daily database snapshots
• Point-in-time Recovery: Restore to specific timestamp
• Cross-region Replication: Optional for critical data

• Infrastructure as Code: Complete infrastructure defined in code
• Version Control: All configurations in Git repository
• Rapid Reconstruction: Complete environment recreation

​

Recovery Procedures

• Automated Rollback: SST deployment rollback capabilities
• Health Monitoring: Automatic failure detection
• Multi-region Failover: Optional setup for high availability

​

Related Documentation

• System Architecture Overview
• API Architecture
• Data Processing Workflows
• Infrastructure Configuration Documentation