# Deployment EntryTarget runs as a single container on AWS Fargate, connected to an RDS PostgreSQL database. Each customer runs their own segregated infrastructure. ## Deployment Options You can deploy EntryTarget in two ways: ### 1. Managed Deploy The vendor provisions and manages everything for you: 1. Provide an AWS access key in the Console 2. A CloudFormation stack is deployed that provisions: * VPC with proper networking * Fargate service with the container image * RDS PostgreSQL (master + optional read replica) * Security Groups 3. Your instance is ready to use ### 2. Manual Deploy You deploy and manage the infrastructure yourself: 1. Download the container image from the Console 2. Set up your own Fargate + RDS infrastructure 3. Configure environment variables 4. Apply the database schema 5. Start the service See [Database Setup](/docs/operations/database-setup.md) and [Environment Variables](/docs/operations/environment-variables.md) for configuration details. ## Infrastructure Requirements | Component | Requirement | | ------------ | --------------------------------------------- | | Compute | AWS Fargate | | Database | RDS PostgreSQL | | Read Replica | Recommended (all reads go to replica) | | TLS | Required in production (`LEDGER_DB_TLS=true`) | ## Startup Sequence On startup, the server performs the following steps **before accepting any HTTP traffic:** 1. Validates all required environment variables are present 2. Loads and verifies the license file, then validates the runtime environment 3. Initializes database connection pools (master + replica) 4. Populates the crash recovery table 5. Validates subscription status via heartbeat 6. Starts the batch processing engine 7. Begins accepting HTTP requests If any step fails, the process exits immediately — no partial startup, no degraded mode. ## Graceful Shutdown The server handles `SIGTERM` (sent by Fargate during deployments) gracefully: * Stops accepting new HTTP requests * Waits for in-flight batch requests to complete * Commits the current batch if any * Exits cleanly This ensures no data loss during deployments or scaling events. ## Security Groups Configuration | Source | Destination | Port | Purpose | | ------------- | ----------- | ---- | ---------------- | | Fargate | RDS Master | 5432 | Write operations | | Fargate | RDS Replica | 5432 | Read operations | | Prometheus IP | Fargate | 8080 | Metrics scraping | | Your services | Fargate | 8080 | API access | {% hint style="warning" %} The `/metrics` endpoint has no authentication. Restrict access to your Prometheus scraper's IP via Security Groups. {% endhint %} ## Container Image The container image includes a universal binary and a per-customer `license.jwt` file signed with Ed25519. This means: * The binary is the same for all customers * Customer identity is established by the signed license file * The license contains the customer's AWS Account ID, validated at startup against the Fargate runtime environment --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://entrytarget.gitbook.io/docs/operations/deployment.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.