AWS Overview
The HIC AWS environment provides the cloud foundation for all platform services. All infrastructure is defined as code using AWS CDK (TypeScript) and deployed via GitHub Actions with OIDC — no static credentials.
| Field | Value |
|---|---|
| Account | 600627345833 |
| Region | eu-west-1 |
| IaC tool | AWS CDK (TypeScript) |
| Config file | infra/aws/config/nhic.json |
| CDK source | infra/aws/ |
GitHub OIDC
All CI/CD pipelines authenticate to AWS using OIDC from the Sand-EnterpriseAI/Healthcare.MOH.RWA.HIC GitHub repository. No static IAM access keys are used or stored anywhere in the codebase.
Services
| Service | Purpose |
|---|---|
| Cognito | Authentication — user pool moh-auth, custom domain auth.nhic.moh.gov.rw |
| ECR | Private container registries: dbt, prefect, greenriver, jupyter |
| CloudFront + S3 | Frontend hosting for GreenRiver v2 at nhic.moh.gov.rw |
| Route53 | DNS for nhic.moh.gov.rw and auth.nhic.moh.gov.rw |
| Secrets Manager | Cluster secrets — DB passwords, API keys, MinIO keys, and more |
Cognito user groups
The moh-auth user pool gates access to all platform services. Group membership controls what a user can access.
| Group | Access |
|---|---|
argocd-admin | ArgoCD full admin |
argocd-moh-admin | ArgoCD MOH admin |
superset-users | Superset — read/explore |
superset-admins | Superset — full admin |
greenriver-nhic | GreenRiver — HIC staff |
greenriver-ceho | GreenRiver — CEHO staff |
greenriver-admins | GreenRiver — administrators |
greenriver-rbc-mcch | GreenRiver — RBC MCCH staff |
k8s-admins | Kubernetes — cluster admin |
k8s-readonly | Kubernetes — read only |
k8s-read-write | Kubernetes — read/write |
Dev variants of the GreenRiver groups exist for non-production environments.
Explore further
Last updated on