Project Overview

Proposal Compliance Tool – Secure ECS Fargate Application

← Back to Projects

Overview

The Proposal Compliance Tool is an internal, secure web application that allows authorized employees to upload proposals, RFPs, and other business development artifacts. It runs an automated compliance pipeline and returns downloadable result artifacts (CSV/JSON/ZIP) via pre-signed links. The application is containerized with Streamlit, deployed on ECS Fargate, and integrated with Route 53, ALB, Cognito, S3, and GitHub Actions for CI/CD.

Networking / Entry

Amazon Route 53

  • Hosts public domain (e.g., compliance-check-bcsa.com).
  • Alias records point to ALB DNS.

Application Load Balancer (ALB)

  • Terminates TLS with ACM certificate.
  • Enforces Cognito authentication via Hosted UI.
  • Routes authorized traffic to ECS Fargate tasks.

AWS Certificate Manager (ACM)

  • Issues managed TLS certificates for HTTPS.

VPC & Gateways

  • 2 public subnets for ALB, 2 private subnets for ECS tasks.
  • Internet Gateway for ALB; NAT Gateway for ECS tasks to reach ECR/pip downloads.

Compute / Containers

Amazon ECS (Fargate)

  • Runs Streamlit container without EC2 management.
  • Cluster groups tasks (e.g., proposal-grader-cluster1).
  • Task Definition specifies CPU/memory, image, env vars, log driver.
  • Service maintains desired task count and integrates with ALB Target Group.

Amazon ECR

  • Secure Docker registry for ECS images.

Identity / Authentication

Amazon Cognito

  • User Pool + App Client provides Hosted UI and OIDC tokens.
  • ALB listener rule enforces authentication before requests reach the app.

Storage / Artifacts

Amazon S3

  • Stores CSV/JSON/ZIP outputs from grading pipeline.
  • App generates pre-signed URLs for user downloads.

Observability / Operations

Amazon CloudWatch

  • Centralized logs from ECS tasks (/ecs/proposal-grader).
  • Supports debugging and monitoring.

Application Auto Scaling

  • Schedules scale up during business hours, scale down off-hours.
  • Optional target tracking or step scaling on CPU/memory/ALB metrics.

CI/CD & Security

GitHub Actions

  • Builds and pushes Docker images to ECR.
  • Updates ECS Service via OIDC-assumed IAM role.

AWS IAM

  • ecsTaskExecutionRole: ECS pulls images, writes logs, fetches secrets.
  • Task Role: Runtime permissions for S3 bucket access.
  • GitHub OIDC Deploy Role: Secure CI/CD without long-lived keys.

Architecture Summary

Architecture: Route 53 → ALB (TLS termination, Cognito auth) → ECS Fargate (Streamlit app) → S3 (artifacts); GitHub Actions CI/CD; CloudWatch logs; IAM least privilege.
Secure, scalable proposal compliance architecture with Route 53, ALB, ECS Fargate, Cognito, S3, CloudWatch, and IAM.
  1. Networking – Route 53, ALB, ACM, VPC: DNS, TLS termination, authentication, subnet isolation.
  2. Compute – ECS Fargate: Runs Streamlit containerized app.
  3. Storage – Amazon S3: Durable artifact storage with pre-signed URLs.
  4. Authentication – Cognito: Hosted UI, OIDC tokens, enforced at ALB.
  5. CI/CD – GitHub Actions: Builds/pushes images, updates ECS service.
  6. Monitoring – CloudWatch: Logs, alarms, scaling metrics.
  7. Security – IAM: Least-privilege roles for ECS, S3, CI/CD.

Summary of Architecture Flow

  1. DNS & entry: Employee visits Route 53 domain (HTTPS) and hits the ALB listener.
  2. Auth at the edge: ALB evaluates rules; unauthenticated users are redirected to Cognito Hosted UI.
  3. Session & routing: After sign-in, ALB establishes session and forwards to the Target Group (HTTP:8501).
  4. App service: ECS Fargate serves the Streamlit app from private subnets.
  5. Artifacts: On completion, the app uploads CSV/JSON/ZIP outputs to S3 and returns pre-signed URLs.
  6. Observability: Container logs go to CloudWatch; scaling via Application Auto Scaling and optional Alarms.
  7. CI/CD: GitHub Actions (OIDC) builds/pushes to ECR, updates ECS Service, and rolls tasks behind ALB health checks.

Skills Demonstrated