Skip to main content

Core Application Services

S3 (Simple Storage Service)

Component: s3-bucket/opennext Purpose: Cache storage bucket for OpenNext static content
ConfigurationValue
AccessPrivate with public access blocked
EncryptionAES-256 (SSE-S3) by default, KMS optional
VersioningDisabled
LifecycleAuto-expire cached objects after 30 days
IAM Permissions: s3:ListBucket, s3:GetObject, s3:PutObject, s3:DeleteObject

DynamoDB

Component: dynamodb/opennext Purpose: Cache metadata table for OpenNext ISR (Incremental Static Regeneration) tag cache
ConfigurationValue
Billing ModePAY_PER_REQUEST (on-demand)
Hash Keytag (String)
Range Keypath (String)
TTL AttributerevalidatedAt
EncryptionAWS-owned key by default, CMK optional
IAM Permissions: GetItem, PutItem, UpdateItem, DeleteItem, Query, Scan, BatchGetItem, BatchWriteItem

SQS (Simple Queue Service)

Component: sqs-queue/opennext Purpose: Revalidation queue for OpenNext ISR revalidation notifications
ConfigurationValue
Queue TypeStandard
Visibility Timeout30 seconds
Message Retention1 day (86,400 seconds)
Long Polling20 seconds
EncryptionSQS-managed SSE
Dead Letter QueueEnabled (max receive count: 3)
IAM Permissions: SendMessage, ReceiveMessage, DeleteMessage, GetQueueAttributes, GetQueueUrl, ChangeMessageVisibility

SSM Parameter Store

Component: ssm-parameters/opennext Purpose: Configuration parameters for OpenNext application Parameters Stored:
  • /valinor/CACHE_BUCKET_NAME - S3 bucket name
  • /valinor/CACHE_BUCKET_REGION - S3 bucket region
  • /valinor/CACHE_DYNAMO_TABLE - DynamoDB table name
  • /valinor/REVALIDATION_QUEUE_URL - SQS queue URL
  • /valinor/REVALIDATION_QUEUE_REGION - SQS region

IAM (Identity and Access Management)

Component: iam-role/opennext Purpose: IRSA (IAM Roles for Service Accounts) for pod identity and access control
ConfigurationValue
Trust PolicyEKS OIDC provider federation
Service Accountvalinor-opennext in valinor namespace
ScopeLimited to resources created by bundle

KMS (Key Management Service)

Usage: Optional encryption for all services Supported On:
  • S3 buckets (SSE-KMS)
  • DynamoDB tables (customer-managed CMK)
  • SQS queues (KMS encryption)
  • SSM Parameter Store (SecureString parameters)
  • EBS volumes (Karpenter node pools)

EKS Infrastructure & Autoscaling

EKS (Elastic Kubernetes Service)

Components:
  • eks/karpenter - Karpenter autoscaler controller
  • eks/karpenter-node-pool - Node pool configuration
  • eks/sysbox-runtime - Sysbox container runtime
  • eks/sysbox-deployment - Sysbox DaemonSet sample

EC2 (Elastic Compute Cloud)

Usage: Node provisioning via Karpenter Key Permissions:
  • ec2:RunInstances, ec2:CreateFleet, ec2:TerminateInstances
  • ec2:CreateTags, ec2:DeleteTags
  • ec2:DescribeInstances, ec2:DescribeInstanceTypes, ec2:DescribeSpotPriceHistory
  • ec2:DescribeAvailabilityZones, ec2:DescribeSecurityGroups, ec2:DescribeSubnets
  • ec2:DescribeLaunchTemplates

CloudWatch Events (EventBridge)

Purpose: EC2 interruption handling for Karpenter Event Rules:
  1. HealthEvent - AWS Health events
  2. SpotInterrupt - EC2 Spot Instance Interruption Warnings
  3. InstanceRebalance - EC2 Instance Rebalance Recommendations
  4. InstanceStateChange - EC2 Instance State-Change Notifications

ECR (Elastic Container Registry)

Purpose: Container image storage and retrieval VPC Endpoints Required:
  • com.amazonaws.<region>.ecr.api - API endpoint
  • com.amazonaws.<region>.ecr.dkr - Docker Registry V2

State Management

S3 (Terraform State Backend)

Purpose: Remote state storage for infrastructure code
ConfigurationValue
Bucket Name{namespace}-{environment}-tfstate
Defaulttest-namespace-usw2-tfstate
Regionus-west-2

DynamoDB (State Locking)

Purpose: Distributed lock table for Terraform state

Encryption Configuration

ServiceDefaultCustomer-Managed CMK Support
S3SSE-S3 (AES-256)Yes (kms_master_key_arn)
DynamoDBAWS-owned keyYes (server_side_encryption_kms_key_arn)
SQSSQS-managed SSEYes (kms_master_key_id)
SSMNone (String)Yes for SecureString (kms_arn)
EBSAWS-managedYes (via node pool config)

Summary

AWS ServiceComponentPurposeRequired
S3s3-bucket/opennextCache storageYes
DynamoDBdynamodb/opennextCache metadataYes
SQSsqs-queue/opennextRevalidation queueYes
SSM Parameter Storessm-parameters/opennextConfig managementYes
IAMiam-role/opennextPod identity (IRSA)Yes
KMSMulti-serviceEncryptionNo
EKSeks/karpenter*AutoscalingYes
EC2Karpenter nodesCompute resourcesYes
CloudWatch EventsKarpenter interruptionEvent routingYes
STSOIDC federationToken exchangeYes
ECRContainer registryImage storageYes
CloudWatch LogsApplication loggingObservabilityNo