ECS Microservices Platform

A co-op sci-fi tactics game backend called "Void Patrol" with three ECS Fargate microservices: a public-facing gateway, a campaign service, and an inventory service. Services discover each other through Cloud Map DNS, share an RDS PostgreSQL database, and use ElastiCache Redis for session caching and leaderboards. The public ALB terminates TLS with an ACM certificate.

Services

Service Role
ECS Fargate Three services: gateway (:8080), campaign (:8081), inventory (:8082)
ECR Three repositories for service container images
Cloud Map Private DNS namespace (voidpatrol.local) for service discovery
ELBv2 Public ALB with HTTPS listener and HTTP-to-HTTPS redirect
RDS PostgreSQL database shared by campaign and inventory services, KMS encrypted
ElastiCache Redis cluster for sessions and leaderboard sorted sets, encryption at rest and in transit
Secrets Manager Database credentials and Redis auth tokens
KMS Encryption keys for RDS, ElastiCache, and other resources
IAM Execution roles and task roles with least-privilege per service
ACM TLS certificate with Route53 DNS validation
Route53 Hosted zone for DNS validation and ALIAS records
S3 Pipeline artifact storage
CodeCommit Source repositories for each service
CodeBuild Docker image builds and ECR pushes
CodePipeline Per-service CI/CD pipelines

Architecture

Client --> ALB (HTTPS :443, ACM cert)
             |  HTTP :80 redirects to HTTPS
             v
           Gateway Service (ECS Fargate, Go :8080)
             |
             ├── campaign.voidpatrol.local (Cloud Map DNS)
             |     --> Campaign Service (ECS Fargate, Go :8081)
             |           --> RDS PostgreSQL
             |
             ├── inventory.voidpatrol.local (Cloud Map DNS)
             |     --> Inventory Service (ECS Fargate, Go :8082)
             |           --> RDS PostgreSQL
             |
             └── ElastiCache Redis (:6379)
                   (sessions, leaderboards)

The gateway service proxies requests to campaign and inventory services using Cloud Map private DNS names. Six security groups enforce layered access: the ALB only accepts public traffic, the gateway only accepts from the ALB, campaign and inventory only accept from the gateway, and RDS and Redis only accept from their consuming services.

What This Validates

  • ECS Fargate service deployment with task definitions and container configurations
  • Cloud Map private DNS namespace for service-to-service discovery
  • ALB HTTPS listener with ACM certificate and HTTP-to-HTTPS redirect
  • ACM certificate DNS validation via Route53
  • RDS PostgreSQL Docker container with KMS encryption at rest
  • ElastiCache Redis with encryption at rest and in transit
  • Secrets Manager integration for database and cache credentials
  • Six-layer security group enforcement with explicit ingress rules per tier
  • Cross-service API proxying through Cloud Map DNS resolution
  • Per-service CI/CD pipelines with Docker builds and ECR pushes

Test Coverage

Tests cover smoke checks for all services and health endpoints including HTTPS, integration tests for player sessions (create, retrieve, delete), campaign management (create, list, add missions, track status, world events), inventory operations (items, loadouts), and leaderboard scoring via Redis sorted sets. Security tests validate encryption on RDS, ElastiCache, and Secrets Manager. Performance tests run 50 concurrent health checks, 20 concurrent session cycles, and 10 concurrent campaign CRUD flows.