Deploying a Region
Assumptions
- This document uses
dev.sgp-1.cogrion.comas implementation example — development environment on AWS Singapore (ap-southeast-1).
Related Repositories
| Repository | Purpose |
|---|---|
| cogrion-terraform | Cloud infrastructure |
| cogrion-gitops | ArgoCD apps, Helm charts, environment values |
This page documents the actual procedure for deploying a new region or environment. For the architectural rationale behind these steps see ADR: Deploying a Region.
Global Prerequisites
These must exist once before any region is deployed. They are shared across all environments and regions.
| Prerequisite | Status | Notes |
|---|---|---|
cogrion.com root domain registered (GoDaddy) | TODO | |
cogrion.com DNS zone active in Cloudflare | TODO | Currently this DNS zone for root domain is managed on AWS Route 53 |
Cloudflare Workers deployed (auth.cogrion.com, cplane.cogrion.com/lookup) | TODO | Global auth proxy and tenant→region routing |
| Cloudflare KV namespace (tenant→region map) | TODO | Written at workspace provision time |
Dashboard UI deployed (app.cogrion.com) | TODO | |
Root CA in AWS Secrets Manager (ap-southeast-1) | TODO | Shared PKI root for all regional OpenBao instances |
Primary region sgp-1 | TODO | All other regions resolve principals from sgp-1 |
Deployment Sequence
Phase 1 — AWS Infrastructure (Terraform)
- Prepare directory
envs/dev-sgp-1/incogrion-terraform. - Update
terraform.tfvarsandbackend.tffordev-sgp-1. - Run
tofu apply— provisions:- VPC, subnets, NAT, security groups
- EKS cluster + node groups (
dev-sgp-1) - RDS instance
- Route53 hosted zone (
dev.sgp-1.cogrion.com) - S3 buckets (
cogrion-dev-sgp-1-artifacts,cogrion-dev-sgp-1-exports) - IAM roles (cluster, node, IRSA)
Phase 2 — DNS Delegation
- Add NS records in Cloudflare pointing
dev.sgp-1.cogrion.com→ the new Route53 zone nameservers.
Phase 3 — Cluster Bootstrap
-
Bootstrap ArgoCD and apply cluster resources — see GitOps: Bootstrap a new cluster.
kubectl apply -n argocd -k https://github.com/argoproj/argo-cd/manifests/cluster-install?ref=v2.12.0kubectl apply -f argocd/_bootstrap/dev-sgp-1/bootstrap.yamlkubectl apply -f argocd/app-roots/dev-sgp-1.yaml -
Apply cluster-level secrets (image pull, RDS credentials, inter-region service token).
Phase 4 — PKI and TLS
- Deploy OpenBao into the cluster.
- Import the shared root CA from AWS Secrets Manager into OpenBao's PKI backend.
- Deploy cert-manager and configure it to use OpenBao as the issuer.
Phase 5 — Platform Services (ArgoCD)
-
Copy ArgoCD app manifests and Helm values from an existing region into
cogrion-gitops:cp -r argocd/apps/prod-sgp-1 argocd/apps/dev-sgp-1cp -r values/prod-sgp-1 values/dev-sgp-1Update all domain and bucket values in
values/dev-sgp-1/to usedev.sgp-1.cogrion.com,cogrion-dev-sgp-1-artifacts, etc. -
Sync ArgoCD — deploys in dependency order:
- Keycloak
- Temporal (server + workers)
- Control plane API
- Observability stack (Prometheus, Grafana, Loki)
Phase 6 — Region Registration
- Update Cloudflare KV to route new tenants to
dev.sgp-1.cogrion.comat signup. - Since
dev-sgp-1is a secondary region (notsgp-1primary): setPRIMARY_CPLANE_API_URL=https://cplane.sgp-1.cogrion.comandINTER_REGION_SERVICE_TOKENin Helm values.
Phase 7 — Smoke Test
- Create a test tenant assigned to
dev-sgp-1and verify the full auth flow end-to-end. - Provision a test workspace and confirm DNS delegation, cert issuance, and cluster agent bootstrap token flow.
New Environment vs New Region
- New environment (e.g.
dev-sgp-1): Phase 1 is a subset — no new VPC if sharing; new RDS and S3 only. Route53 zone is a subdomain of the existing regional zone. - New region: Full Phase 1 including VPC and EKS. Phase 2 adds a new top-level NS delegation.
Teardown
Drain workspaces → remove Cloudflare KV entry → delete ArgoCD apps → tofu destroy. The shared root CA and global Cloudflare layer are unaffected.