Docs Architecture

Repository Structure

How client repositories are organized and managed.

Every Opsitron client has infrastructure defined in repositories within their own GitHub organization. Opsitron scaffolds and manages these repositories, but you own them completely.

Config Repository

The primary repository containing all live infrastructure configuration.

acme-infra-config/
├── .github/
│   └── workflows/
│       ├── infrastructure.yml   # Plan/apply on PRs
│       ├── deploy.yml           # Container deployments
│       └── deploy-static.yml    # Static site deployments
├── .claude/
│   └── skills/                  # Client-specific AI skills
├── CLAUDE.md                    # AI agent instructions (managed by Opsitron)
├── apps/
│   ├── web-app/
│   │   ├── dev1/
│   │   │   ├── main.tf          # Module call
│   │   │   ├── variables.tf
│   │   │   ├── outputs.tf
│   │   │   ├── backend.tf       # S3 state backend
│   │   │   ├── provider.tf
│   │   │   └── terraform.tfvars # Environment-specific values
│   │   ├── stage1/
│   │   └── prod1/
│   └── shared-services/
│       └── prod1/               # ECR repos, artifact buckets
└── dns/
    ├── zone/                    # Route53 hosted zones
    └── zone-cert/               # ACM certificates

Key Conventions

  • One directory per app per environment — isolated Terraform state
  • Module calls only — no complex logic in config repo, just module wiring
  • Environment values in tfvars — account ID, region, domain, feature flags
  • SSM parameters at /{app-slug}/{environment}/... — deploy workflows read config from SSM, not from the repo

Application Repositories

Your application code with Opsitron-managed build workflows.

acme-web-app/
├── .github/
│   └── workflows/
│       └── build.yml            # Build and push to ECR (managed by Opsitron)
├── Dockerfile                   # Your application Dockerfile
├── CLAUDE.md                    # AI instructions for this repo
└── ... (your application code)

The build workflow is generated by Opsitron’s scaffolder and uses OIDC federation for AWS authentication — no stored credentials.

Platform Modules

Vetted, versioned OpenTofu/Terraform modules maintained by Ordinary Experts.

platform-modules/
├── modules/
│   ├── ecs-webapp/          # ECS Fargate + ALB + RDS + Redis
│   ├── static-website/      # S3 + CloudFront
│   ├── shared-services/     # ECR repos + artifact buckets
│   └── ecr-repository/      # Standalone ECR repo
└── ...

Each module follows semantic versioning with per-module tags (e.g., ecs-webapp-v2.2.0). Modules include:

  • All required AWS resources
  • SSM parameters for deploy workflow discovery
  • Cross-account access policies
  • Lifecycle policies for cleanup
  • Environment-appropriate defaults

How Repositories Connect

Application Repo          Config Repo              Platform Modules
  (your code)             (your infra)             (OE maintained)
     │                        │                         │
     │ push to main           │                         │
     ▼                        │                         │
  Build Workflow ──────► ECR Image                      │
                              │                         │
                              ▼                         │
                     apps/web-app/dev1/                  │
                       main.tf ─────────────────► ecs-webapp module
                              │                    (source ?ref=v2.2.0)
                              ▼
                    Infrastructure Workflow
                     tofu plan → tofu apply
                              │
                              ▼
                      AWS Resources
                  (ECS, ALB, RDS, etc.)
AWS Account Structure