Skip to Content
InfrastructureAWSAWS Overview

AWS Overview

The HIC AWS environment provides the cloud foundation for all platform services. All infrastructure is defined as code using AWS CDK (TypeScript) and deployed via GitHub Actions with OIDC — no static credentials.

FieldValue
Account600627345833
Regioneu-west-1
IaC toolAWS CDK (TypeScript)
Config fileinfra/aws/config/nhic.json
CDK sourceinfra/aws/

GitHub OIDC

All CI/CD pipelines authenticate to AWS using OIDC from the Sand-EnterpriseAI/Healthcare.MOH.RWA.HIC GitHub repository. No static IAM access keys are used or stored anywhere in the codebase.

Services

ServicePurpose
CognitoAuthentication — user pool moh-auth, custom domain auth.nhic.moh.gov.rw
ECRPrivate container registries: dbt, prefect, greenriver, jupyter
CloudFront + S3Frontend hosting for GreenRiver v2 at nhic.moh.gov.rw
Route53DNS for nhic.moh.gov.rw and auth.nhic.moh.gov.rw
Secrets ManagerCluster secrets — DB passwords, API keys, MinIO keys, and more

Cognito user groups

The moh-auth user pool gates access to all platform services. Group membership controls what a user can access.

GroupAccess
argocd-adminArgoCD full admin
argocd-moh-adminArgoCD MOH admin
superset-usersSuperset — read/explore
superset-adminsSuperset — full admin
greenriver-nhicGreenRiver — HIC staff
greenriver-cehoGreenRiver — CEHO staff
greenriver-adminsGreenRiver — administrators
greenriver-rbc-mcchGreenRiver — RBC MCCH staff
k8s-adminsKubernetes — cluster admin
k8s-readonlyKubernetes — read only
k8s-read-writeKubernetes — read/write

Dev variants of the GreenRiver groups exist for non-production environments.

Explore further

Last updated on