3-Tier Application

A guild roster system for an MMO, built as a classic 3-tier web application. Two Go services run on EC2 instances behind public and internal Application Load Balancers, backed by an encrypted RDS PostgreSQL database. The entire stack is provisioned with Terraform and deployed through a CI/CD pipeline using CodeCommit, CodeBuild, CodeDeploy, and CodePipeline.

Services

Service Role
EC2 Four instances across two tiers (2 web, 2 API) running Go binaries
ELBv2 Public ALB for web tier, internal ALB for API tier, with health checks and target groups
RDS PostgreSQL database with KMS encryption at rest
KMS Customer-managed key for RDS storage encryption
IAM Least-privilege roles for EC2 instances, CodePipeline, CodeBuild, and CodeDeploy
STS IMDS credential vending for EC2 instance roles
S3 Pipeline artifact storage
CodeCommit Git repository (Docker-backed) hosting both tier source codes
CodeBuild Compiles Go binaries in golang:1.23-alpine Docker containers
CodeDeploy Deploys artifacts to EC2 instances with lifecycle hooks
CodePipeline Orchestrates Source, Build, Deploy stages for each tier independently

Architecture

Client
  |
  v
Public ALB :80 --> Web Tier (2x EC2, Go on :8080)
                     |  proxies /api/* via VPC network
                     v
                  Internal ALB :80 --> API Tier (2x EC2, Go on :8081)
                                         |
                                         v
                                      RDS PostgreSQL (KMS encrypted)

Two independent CI/CD pipelines deploy the web and API tiers from a shared CodeCommit monorepo. CodeBuild compiles Go binaries in Docker, CodeDeploy installs them on EC2 instances with lifecycle hooks (stop, install, start), and CodePipeline orchestrates the full flow.

The VPC spans six subnets across two availability zones: public subnets for the external ALB, application subnets for EC2 instances and the internal ALB, and database subnets for RDS. Security groups enforce layered access - each tier only accepts traffic from the tier above it.

What This Validates

  • EC2 instances running Go binaries inside Docker containers with IMDS credential vending
  • Application Load Balancers routing traffic to target groups with health check enforcement
  • Internal ALB for private service-to-service communication within VPC
  • RDS PostgreSQL running as a Docker container with KMS-encrypted storage
  • Full CI/CD pipeline: CodeCommit git push, CodeBuild Docker compilation, CodeDeploy EC2 deployment, CodePipeline orchestration
  • VPC networking with six subnets, security group layering, and Docker bridge connectivity
  • Least-privilege IAM roles scoped to specific CloudWatch Logs paths and S3 prefixes

Test Coverage

Five test phases validate the deployment: CI/CD pipeline execution and artifact verification, smoke tests for ALB health endpoints and tier connectivity, integration tests for guild CRUD operations (create, list, get, delete) flowing through both tiers to the database, security tests for KMS encryption and IAM role scoping, and performance tests with 50 concurrent health checks and 10 concurrent CRUD cycles.