NHC Account Architecture¶
Account Purpose¶
NHC member account. Hosts the Django REST API (main PHI store) and all apps migrated from MWE (third-party). This account is fully in HIPAA scope.
AWS Account Details¶
| Field | Value |
|---|---|
| Account Name | NHC |
| Account ID | 794248400165 |
| Account Type | Member account under Org |
| Primary Region | us-east-2 (Ohio) |
| PHI in Scope | All data in this account |
Deployed Infrastructure (IaC — tofu/accounts/nhc/)¶
| Service | Resource | Status | Notes |
|---|---|---|---|
| KMS | prod-nhc-kms-ebs |
✅ Deployed | EC2 EBS encryption |
| KMS | prod-nhc-kms-s3 |
✅ Deployed | S3 buckets |
| KMS | prod-nhc-kms-cloudtrail |
✅ Deployed | CloudTrail logs |
| KMS | prod-nhc-kms-backup |
✅ Deployed | Backup vault |
| KMS | prod-nhc-kms-rds |
✅ Deployed | RDS (Django API only) |
| VPC | prod-nhc |
✅ Deployed | 10.1.0.0/16 — public + private subnets, NAT GWs, VPC endpoints, flow logs |
| S3 | prod-nhc-s3-access-logs-* |
✅ Deployed | Server access logs target |
| CloudTrail | nhc-trail |
✅ Deployed | Multi-region, KMS encrypted |
| GuardDuty | — | ✅ Deployed | SNS alerts on High/Critical findings |
| Security Hub | — | ✅ Deployed | AWS Foundational + NIST 800-53 Rev 5 |
| AWS Config | nhc-config-recorder |
✅ Deployed | HIPAA conformance pack |
| IAM | SSM instance profile, Access Analyzer | ✅ Deployed | |
| AWS Backup | nhc-backup-vault |
✅ Deployed | 30-day retention; cross-region deferred (no DR vault yet) |
| EC2 | prod-nhc-app (i-0880310086620ce5e) |
✅ Deployed | 10.1.10.241 — WP CMS + Gatsby/Astro builds |
| EC2 | prod-nhc-django (i-0341906c41c45d520) |
✅ Deployed | 10.1.11.178 — Django API + Portals |
| RDS | prod-nhc-django |
✅ Deployed | MySQL 8.0, private subnet, KMS encrypted, PHI-tagged |
| ALB | prod-nhc-django-alb |
✅ Deployed | Django API + Portals — prod-nhc-django-alb-1713854905.us-east-2.elb.amazonaws.com |
| ALB | prod-nhc-wordpress-alb |
✅ Deployed | WP CMS — prod-nhc-wordpress-alb-1502175647.us-east-2.elb.amazonaws.com |
| WAF | prod-nhc-django-waf |
✅ Deployed | Attached to Django ALB — managed rules + rate limiting + CloudWatch logs |
| Cloudflare Pages | — | ⏳ Pending | DA-15 Phase 4 — Gatsby + Astro built on EC2, deployed via GitLab CI |
Network Architecture¶
us-east-2 (Ohio)
└── VPC: prod-nhc (10.1.0.0/16)
├── Public Subnets (10.1.0.0/24, 10.1.1.0/24)
│ └── ALB (HTTPS only, WAF attached) — pending
└── Private Subnets (10.1.10.0/24, 10.1.11.0/24)
├── EC2: WP CMS + Gatsby build (pending)
├── EC2: Astro build (pending)
├── EC2: Django API + Portals (pending)
├── RDS MySQL 8.0: Django DB (pending)
└── All outbound via NAT Gateway
Note: WP CMS uses a Docker MySQL container on ec2_app (no RDS)
App Inventory¶
Apps migrated from MWE (third-party). Currently dev-local, target is NHC private subnets.
| App | Stack | PHI | Hosting Target | Status |
|---|---|---|---|---|
| WP CMS | WordPress (headless) | None — public content | EC2 private subnet + ALB; DB = Docker MySQL on same EC2 | Pending |
| Gatsby | Static site (consumes WP GraphQL) | None | Build on ec2-app → Cloudflare Pages (staging-gatsby.novavirtual.site) |
Pending |
| Astro — Essential | Static site (monorepo) | None | Build on ec2-app → Cloudflare Pages (staging-essential.novavirtual.site) |
Pending |
| Astro — Caring For You | Static site (monorepo) | None | Build on ec2-app → Cloudflare Pages (staging-caringforyou.novavirtual.site) |
Pending |
| Astro — Vital | Static site (monorepo) | None | Build on ec2-app → Cloudflare Pages (staging-vital.novavirtual.site) |
Pending |
| Django API | Python/Django REST API | Yes — primary PHI store | EC2 private subnet + ALB + WAF (AWS only, no Cloudflare proxy) | Pending |
| Portals | Django API frontend | Auth sessions — in HIPAA scope | EC2 shared with Django + ALB + WAF (must stay in AWS — Netlify/Cloudflare not BAA-eligible for this) | Pending |
Environment Lifecycle¶
This account is currently in staging phase (Stage = staging tag on all resources).
| Stage | Meaning | How to promote |
|---|---|---|
staging |
Infrastructure live, apps not yet running, awaiting MWE prod data handover | — |
prod |
MWE prod database + S3 migrated in, apps live, real PHI in scope | Paolo updates stage = "prod" in terraform.tfvars, then runs tofu apply to retag |
After go-live, a true staging environment will be created from scratch as a separate account/VPC with environment = "staging" resource naming — not this account.
Do not change
environment = "prod"in tfvars. That value is baked into all resource names (prod-nhc-*). Changing it would force recreation of RDS and other stateful resources. Onlystagechanges at promotion time.
Bootstrap Notes¶
TerraformDeployRoledoes not exist yet in NHC — provider uses SSOAdministratorAccessdirectly for now. Role to be created via IaC in a future phase.- S3 remote state backend commented out pending bucket bootstrap (DA-15 backlog).
- Cross-region backup disabled — no DR vault provisioned yet.
Open Items¶
- Create
TerraformDeployRolein NHC via IaC and restoreassume_rolein provider - Bootstrap S3 state bucket + DynamoDB lock table (DA-15)
- Phase 2: EC2 x2 + RDS MySQL (Django) deployed and bootstrapped via Ansible
- Phase 3: ALB module + WAF
- Phase 4: GitLab CI pipelines — build on EC2, deploy to Cloudflare Pages (no AWS infra needed)
- ACM certificates for all domains
- Confirm Portals app tech stack
- Confirm WP CMS, Gatsby, Astro domain names