Architecture - saayam-for-all/docs GitHub Wiki

Following is the proposed architecture.

Saayam-flow

We need to support 4 different clients:

  • Web application running from AWS S3 and CloudFront - Available in phase1
  • Mobile applications running on both iOS and Android - Available in phase2
  • Saayam API - Useful for integration with other volunteer organizations - Available in phase3
  • Saayam SDK - Programmatic integration with other organizations - Available in phase4

We are planning on running all our backend in AWS.

High level flow:

  • All client requests first go through CloudFront or Edge location that is closest to the consumer for faster performance.
  • Another main entry point would be Web Application Firewall (WAF) for security.
  • All requests will be sent to API Gateway.
  • API Gateway uses Cognito for authentication and authorization.
  • Authenticated requests will be sent to Lambda functions that act as publishers to MSK (Kafka).
  • MSK contains multiple topics based on functionality. For e.g. we can have one topic for CRUD operations of volunteers and another topic for CRUD operations of requests.
  • Lambda functions and micro services act as consumers of MSK. Based on complexity we can decide whether we should go with a lambda function or micro service.
  • All micro services run in EKS (Kubernetes)
  • Planning to use Aurora database (with or with out Postgres flavor - TBD) as our database.
  • For data analysis, we will store relevant information on S3 and then use tools like Glue, Athena and QuickSight etc for analysis.
  • Micro services can use ElastiCache for in memory cache.
  • We will be using many other AWS services like Route53 for DNS, CloudWatch for monitoring, SageMaker for data analysis, CloudTrail for auditing, X-Ray for tracing, Event Bridge for event handling, SNS for notifications, SQS for buffering etc.

User Groups

We support the following types of user groups in our organization

  • SaayamUsers - Basic users that have signed up with Saayam For All organization. These may or may not be employees of Saayam For All. These can create help request for themselves and also on behalf of others.
  • SaayamVolunteers - These are certified Saayam For All volunteers. Only these people can help the requestors of help. They may or may NOT belong to Saayam For All organization.
  • SaayamEmployees - Employee of Saayam For All. These users have more privileges than SaayamUsers and SaayamVolunteers. Ready only privilege for Saayam For All data
  • SaayamAdmins - Privileged Saayam For All employees who can access complete data from Saayam For All e.g help requests filed, users signed up with Saayam For All etc. These can edit the data, but cannot delete any data/infrastructure etc.
  • SaayamSuperAdmins - These are employess of Saayam For All with super powers. These can perform delete operations on the data/infrastructure etc.

Roles & Privileges

We use AWS IAM service to create necessary roles and privileges. These roles will be assigned to the above user groups. Resources stipulate what roles/privileges are needed to access them.

The principle of least privilege (PoLP) is an information security concept that limits users and applications to the minimum amount of access they need to perform their jobs. This can include access to data, resources, and applications.