Infrastructure

This page documents the AWS infrastructure provisioned by Terraform for the qa-automation service. All resources are defined in the deploy/ directory and are applied exclusively to the test environment via GitHub Actions. The infrastructure is managed using the fmtf-module-lambda internal module and the terraform-aws-modules/apigateway-v2 community module.

This service is deployed exclusively to the test environment and is never deployed to production.

Lambda Functions

One Lambda function is deployed. It is built from the cmd/api entrypoint, packaged as a binary in dist/, and deployed using the internal fmtf-module-lambda module (v2.0.1).

Function Trigger Timeout Memory Key IAM Permissions

test-qa-automation-api

API Gateway HTTP API (AWS IAM SigV4) — ANY /\{proxy+\}

300s

Module default

  • sqs:SendMessage — subscription and float collections queues, LOC collections queue

  • kinesis:PutRecord, kinesis:PutRecordstest-payments Kinesis stream

  • dynamodb:GetItem/PutItem/Query/UpdateItem/DeleteItem — bypass, underwriting, subscriptions, subscriptions_history tables

  • lambda:InvokeFunctionuser-handler-floatme-test, test-loc-service-loc-collections-job

  • execute-api:Invoke — insight, user, payments, txn, float, subscriptions, LOC, underwriting, admin-api gateways

  • secretsmanager:GetSecretValue — Auth0, RDS, Plaid, GrowthBook, Iterable, Iterable Mobile secrets

Environment Variables

The Lambda receives the following runtime configuration via environment variables:

Variable Value / Source

BYPASS_TABLE_NAME

requirements-bypass (default)

SUBSCRIPTION_TABLE_NAME

Hardcoded at deploy time

UNDERWRITING_TABLE_NAME

Hardcoded at deploy time

DYNAMO_REGION

us-west-2

LOG_VERBOSITY

1 in test environment, 0 otherwise

USER_SERVICE_URL / USER_SERVICE_REGION

Resolved from test-user-service API Gateway

ADMIN_SERVICE_URL / ADMIN_SERVICE_REGION

Resolved from test-admin-api-internal API Gateway

INSIGHT_SERVICE_URL / INSIGHT_SERVICE_REGION

Resolved from test-insight API Gateway

TXN_SERVICE_URL / TXN_SERVICE_REGION

Resolved from test-txn API Gateway

PAYMENTS_SERVICE_URL / PAYMENTS_SERVICE_REGION

Resolved from test-payments API Gateway

LOC_SERVICE_URL / LOC_SERVICE_REGION

Resolved from test-loc-service API Gateway

FLOAT_SERVICE_URL / FLOAT_SERVICE_REGION

Resolved from test-floats API Gateway

SUBSCRIPTION_SERVICE_URL / SUBSCRIPTION_SERVICE_REGION

Resolved from test-subscription-service API Gateway

UNDERWRITING_SERVICE_URL / UNDERWRITING_SERVICE_REGION

Resolved from test-underwriting API Gateway

SM_AUTH0_NAME

test/auth0

SM_RDS_MAIN_NAME

test/rds/main

SM_PLAID_NAME

test/plaid

SM_GROWTHBOOK_NAME

test/growthbook

SM_ITERABLE_NAME

test/iterable

SM_ITERABLE_MOBILE_NAME

test/iterable-mobile

SUBSCRIPTION_COLLECTIONS_SCHEDULED_QUEUE_URL

SQS URL for scheduled subscription collections queue

SUBSCRIPTION_COLLECTIONS_PAUSED_QUEUE_URL

SQS URL for paused subscription collections queue

SUBSCRIPTION_COLLECTIONS_RETRY_QUEUE_URL

SQS URL for retry subscription collections queue

SUBSCRIPTION_COLLECTIONS_WEBHOOK_QUEUE_URL

SQS URL for webhook subscription collections queue

SUBSCRIPTION_COLLECTIONS_NOTIFIER_QUEUE_URL

SQS URL for subscription notifier worker queue

FLOAT_COLLECTIONS_DAILY_QUEUE_URL

SQS URL for daily float collections queue

FLOAT_COLLECTIONS_WEBHOOK_QUEUE_URL

SQS URL for webhook float collections queue

API Gateway

The HTTP API (API Gateway v2) is provisioned using the terraform-aws-modules/apigateway-v2 module (v6.1.0).

Property Value

Name

test-qa-automation

Protocol

HTTP API (API Gateway v2)

Custom domain

Not configured (create_domain_name = false)

Endpoint URL

Assigned automatically by AWS at deploy time

Auth type

AWS_IAM (SigV4 request signing required on all routes)

Integration payload format

1.0

Integration timeout

30,000 ms (30s)

Routes

Method + Path Auth Backend

ANY /\{proxy+\}

AWS IAM (SigV4)

test-qa-automation-api Lambda

All test automation API calls must be signed with AWS Signature Version 4 using credentials that have execute-api:Invoke permission on this API.

DynamoDB Tables

The Lambda reads and writes to four DynamoDB tables, all in us-west-2. These tables are pre-existing (looked up via data sources) and are not created by this service.

Table Region Purpose

requirements-bypass

us-west-2

Stores requirement bypass rules used by test flows to skip eligibility checks (e.g., advance eligibility, KYC gates)

billing-activity

us-west-2

Subscription billing activity records (current); read and written during subscription lifecycle tests

billing-activity-history

us-west-2

Historical billing activity; queried during subscription history assertions in tests

test-underwriting

us-west-2

Underwriting decision records used during underwriting flow tests

Secrets Manager

All secrets are stored in AWS Secrets Manager under the test/ path prefix and are referenced by name in the Lambda’s environment. The Lambda retrieves them at startup via secretsmanager:GetSecretValue.

Secret name (path) Environment variable Contents

test/auth0

SM_AUTH0_NAME

Auth0 credentials — client ID, client secret, and domain used to obtain tokens for test user authentication flows

test/rds/main

SM_RDS_MAIN_NAME

Primary RDS database credentials — host, port, username, and password for direct DB access during test setup and teardown

test/plaid

SM_PLAID_NAME

Plaid API credentials — client ID and secret for simulating bank link and transaction flows in the test environment

test/growthbook

SM_GROWTHBOOK_NAME

GrowthBook SDK key and API credentials used to read and override feature flag state during tests

test/iterable

SM_ITERABLE_NAME

Iterable server-side API key for verifying email and push notification events triggered by test flows

test/iterable-mobile

SM_ITERABLE_MOBILE_NAME

Iterable mobile (JWT) API key used to authenticate mobile-originated notification events in tests

test/datadog/terraform

(Terraform only — not injected into Lambda)

Datadog api_key and app_key used solely by the Terraform Datadog provider to provision SLOs and service definitions

VPC

The Lambda runs inside the FloatMe shared VPC in us-west-2. Subnet and security group resources are looked up by tag name at deploy time rather than hardcoded by ID.

Resource Details

Private Subnet 1

Tagged floatme Private Subnet 1 — first private subnet, no direct internet access, egress via NAT Gateway

Private Subnet 2

Tagged floatme Private Subnet 2 — second private subnet in a separate AZ for redundancy

Security Group

Tagged floatme PrivateSG — private security group permitting intra-VPC traffic; blocks inbound internet traffic

Placing the Lambda in private subnets ensures it can reach RDS and other internal services over the VPC network without exposing them to the public internet.

Datadog

Monitoring is enabled through the fmtf-module-lambda module, which provisions CloudWatch-based monitors forwarded to Datadog via the Datadog Lambda Extension. Three Service Level Objectives (SLOs) are defined for the qa-api Lambda, each with 7-day and 30-day windows.

SLO Monitor type Thresholds (target / warning)

[AWS][test-qa-automation] Lambda Errors SLO

Monitor-based (error rate)

99.9% / 99.99% over 7d and 30d

[AWS][test-qa-automation] Lambda Throughput SLO

Monitor-based (invocation count)

99.9% / 99.99% over 7d and 30d

[AWS][test-qa-automation] Lambda Latency SLO

Monitor-based (duration)

99.9% / 99.99% over 7d and 30d

A Datadog service definition (schema v2.2) is also registered for the qa service, linking it to:

Datadog credentials (api_key, app_key) are sourced from test/datadog/terraform in Secrets Manager and are used only by the Terraform provider — they are not injected into the Lambda runtime.

Related Pages