AWS Architecture for ITSM Infrastructure
Multi-Account Structure (AWS Organizations)
Best practice for enterprise ITSM deployments uses a multi-account model via AWS Organizations and Control Tower:
Management Account (billing + governance)
├── Security OU
│ ├── Log Archive Account (CloudTrail, Config, S3 logs)
│ └── Security Tooling (GuardDuty, Security Hub)
├── Infrastructure OU
│ ├── Network Account (Transit Gateway, Direct Connect)
│ └── Shared Services (DNS, AD, monitoring)
└── Workloads OU
├── Production Account (ITSM platform, live services)
├── Staging Account (pre-prod validation)
└── Dev Account (development and testing)ITSM platforms (ServiceNow instances, Jira data centers) run in the Production Account. This isolates their blast radius and simplifies compliance auditing.
Terraform Module Structure
# Root module — production ITSM infrastructure
# /terraform/environments/prod/main.tf
module "networking" {
source = "../../modules/networking"
vpc_cidr = "10.0.0.0/16"
availability_zones = ["eu-west-3a", "eu-west-3b", "eu-west-3c"]
enable_nat_gateway = true
enable_vpn_gateway = true
}
module "itsm_compute" {
source = "../../modules/itsm-compute"
instance_type = "m6i.2xlarge"
ami_id = data.aws_ami.rhel9.id
subnet_ids = module.networking.private_subnet_ids
min_size = 2
max_size = 6
target_group_arn = module.alb.target_group_arn
}
module "rds" {
source = "../../modules/rds-postgres"
engine_version = "15.4"
instance_class = "db.r6g.xlarge"
multi_az = true
storage_encrypted = true
backup_retention = 35 # days
}
module "bcp_dr" {
source = "../../modules/dr"
primary_region = "eu-west-3"
dr_region = "eu-west-1"
rpo_hours = 1
rto_hours = 4
}BCP/DR Architecture
RTO/RPO Tiers
| Tier | Service Examples | RTO | RPO | Strategy |
|---|---|---|---|---|
| Tier 1 | ITSM Platform (Prod) | 4h | 1h | Active-Passive, cross-region |
| Tier 2 | Internal tools | 8h | 4h | Warm standby, same region |
| Tier 3 | Dev/staging | 24h | 24h | Cold backup restore |
Cross-Region DR Pattern
EU-WEST-3 (Paris) — PRIMARY EU-WEST-1 (Ireland) — DR
┌─────────────────────┐ ┌────────────────────┐
│ ALB │ │ ALB (standby) │
│ EC2 Auto Scaling │ │ EC2 (stopped) │
│ RDS Primary ──────────────────────→│ RDS Read Replica │
│ S3 (assets) ─────────────────────→│ S3 (replication) │
│ Route53 Primary │ │ Route53 Secondary │
└─────────────────────┘ └────────────────────┘
│ │
└──────── Route53 Health Check ─────────┘
Failover: < 60s DNS TTLHybrid Connectivity (Direct Connect + VPN)
On-Premises DC
│
├── AWS Direct Connect (1Gbps) ──→ Network Account → Transit Gateway
│ Primary: dedicated, predictable latency
│
└── Site-to-Site VPN (backup) ───→ Network Account → Transit Gateway
Failover: automatic via BGP
│
┌───────────────┼───────────────┐
↓ ↓ ↓
Production Staging Shared
Account Account ServicesKey Terraform Providers & Modules
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
backend "s3" {
bucket = "dk-terraform-state-prod"
key = "itsm/prod/terraform.tfstate"
region = "eu-west-3"
dynamodb_table = "terraform-lock"
encrypt = true
}
}
# Remote state references for cross-module dependencies
data "terraform_remote_state" "networking" {
backend = "s3"
config = {
bucket = "dk-terraform-state-prod"
key = "networking/prod/terraform.tfstate"
region = "eu-west-3"
}
}