Internal Infrastructure Details
π«
π INTERNAL USE ONLY - This page contains sensitive infrastructure information. Do not share externally or include in public documentation.
Detailed infrastructure configuration, credentials management, and internal deployment procedures for team members only.
π Complete Infrastructure Map
ποΈ Credentials & Access
Account Access Matrix
| Service | Account Email | Access Level | 2FA | Password Manager |
|---|---|---|---|---|
| GoDaddy | admin@altsportsdata.com | Owner | β | 1Password: GoDaddy |
| Cloudflare | admin@altsportsdata.com | Super Admin | β | 1Password: Cloudflare |
| Google Cloud | assistant@altsportsdata.com | Owner | β | 1Password: GCP |
| Vercel | admin@altsportsdata.com | Owner | β | 1Password: Vercel |
| Supabase | admin@altsportsdata.com | Owner | β | 1Password: Supabase |
| Neo4j | admin@altsportsdata.com | Admin | β | 1Password: Neo4j |
| Firebase | assistant@altsportsdata.com | Owner | β | 1Password: Firebase |
| n8n Cloud | admin@altsportsdata.com | Owner | β | 1Password: n8n |
API Keys Storage
Google Cloud Secret Manager:
| Secret Name | Used By | Rotation Schedule |
|---|---|---|
OPENAI_API_KEY | Backend API | Every 90 days |
ANTHROPIC_API_KEY | Backend API | Every 90 days |
SUPABASE_SERVICE_ROLE_KEY | Backend API | Yearly |
NEO4J_PASSWORD | Backend API | Yearly |
FIREBASE_ADMIN_SDK | Backend API | Never (rotate if compromised) |
Access Secrets:
# List all secrets
gcloud secrets list --project altsportsdata-102243
# Get specific secret value (requires permission)
gcloud secrets versions access latest \
--secret="OPENAI_API_KEY" \
--project altsportsdata-102243
# Add new secret
gcloud secrets create NEW_SECRET_NAME \
--data-file=- \
--project altsportsdata-102243
# Update secret
echo -n "new-secret-value" | gcloud secrets versions add NEW_SECRET_NAME \
--data-file=- \
--project altsportsdata-102243ποΈ Google Cloud Project Structure
Project: altsportsdata-102243
Service Accounts
Active Service Accounts:
-
Cloud Run Service Account
- Email:
xxx@altsportsdata-102243.iam.gserviceaccount.com - Roles: Cloud Run Service Agent, Secret Manager Accessor
- Used for: Backend API runtime
- Email:
-
Deployment Service Account
- Email:
deployment@altsportsdata-102243.iam.gserviceaccount.com - Roles: Cloud Run Admin, Storage Admin, Container Registry Writer
- Used for: CI/CD deployments
- Email:
-
Firebase Admin SDK
- Email:
firebase-adminsdk-xxx@altsportsdata-102243.iam.gserviceaccount.com - Roles: Firebase Admin
- Used for: Backend Firebase operations
- Email:
Key Files (DO NOT COMMIT TO GIT):
service-account-keys/cloud-run-sa.jsonservice-account-keys/deployment-sa.jsonservice-account-keys/firebase-admin-sdk.json
πΎ Database Connection Strings
Production Database URIs
π«
NEVER commit these to Git! Store in Secret Manager or 1Password.
Neo4j AuraDB:
# Connection URI (store in Secret Manager)
NEO4J_URI=neo4j+s://xxx.databases.neo4j.io
NEO4J_USER=neo4j
NEO4J_PASSWORD=<stored-in-secret-manager>
# Database Name
NEO4J_DATABASE=altsportsleagues
# Region
REGION=us-east-1Supabase:
# Project
SUPABASE_PROJECT_ID=vljfrdsqtmdujhoxwtig
SUPABASE_URL=https://vljfrdsqtmdujhoxwtig.supabase.co
# Keys (store in Secret Manager)
SUPABASE_ANON_KEY=<public-anon-key>
SUPABASE_SERVICE_ROLE_KEY=<secret-service-role-key>
# Database Direct Connection
DATABASE_URL=postgresql://postgres.<project-ref>:<password>@aws-0-us-east-1.pooler.supabase.com:5432/postgresFirebase:
# Project
FIREBASE_PROJECT_ID=altsportsdata-102243
# Config (frontend - can be public)
NEXT_PUBLIC_FIREBASE_API_KEY=<firebase-api-key>
NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN=altsportsdata-102243.firebaseapp.com
NEXT_PUBLIC_FIREBASE_PROJECT_ID=altsportsdata-102243
# Admin SDK (backend - MUST be secret)
GOOGLE_APPLICATION_CREDENTIALS=/path/to/firebase-admin-sdk.jsonRedis (Optional):
# If using Redis Cloud or self-hosted
REDIS_URL=redis://:<password>@redis-12345.c123.us-east-1-2.ec2.cloud.redislabs.com:12345Connection Diagram
π§ Internal Deployment Configuration
Cloud Run Service Configuration
Full Configuration (actual production values):
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: altsportsleagues-backend
namespace: 'altsportsdata-102243'
labels:
cloud.googleapis.com/location: us-central1
spec:
template:
metadata:
annotations:
autoscaling.knative.dev/minScale: '0'
autoscaling.knative.dev/maxScale: '10'
run.googleapis.com/cpu-throttling: 'false'
run.googleapis.com/startup-cpu-boost: 'true'
spec:
containerConcurrency: 80
timeoutSeconds: 300
serviceAccountName: 'cloud-run-sa@altsportsdata-102243.iam.gserviceaccount.com'
containers:
- image: gcr.io/altsportsdata-102243/altsportsleagues-backend:latest
ports:
- name: http1
containerPort: 8080
env:
- name: PORT
value: '8080'
- name: GOOGLE_CLOUD_PROJECT
value: 'altsportsdata-102243'
- name: OPENAI_API_KEY
valueFrom:
secretKeyRef:
name: OPENAI_API_KEY
key: latest
- name: ANTHROPIC_API_KEY
valueFrom:
secretKeyRef:
name: ANTHROPIC_API_KEY
key: latest
resources:
limits:
cpu: '2000m'
memory: '4Gi'
requests:
cpu: '1000m'
memory: '2Gi'Vercel Project IDs
Frontend Project:
Project ID: prj_abc123xyz (not public)
Team: altsportsdata-team
Git Repository: github.com/altsportsleagues/frontend (private)
Production Branch: main
Preview Branches: All branchesDocs Project:
Project ID: prj_def456uvw (not public)
Team: altsportsdata-team
Git Repository: github.com/altsportsleagues/docs (private)
Production Branch: mainπ Secret Management Architecture
Secret Hierarchy
Secret Rotation Schedule
| Secret | Current Rotation | Last Rotated | Next Due | Owner |
|---|---|---|---|---|
| OpenAI API Key | 90 days | 2025-11-01 | 2026-01-30 | Tech Lead |
| Anthropic Key | 90 days | 2025-11-01 | 2026-01-30 | Tech Lead |
| Supabase Service Role | 365 days | 2025-01-15 | 2026-01-15 | DevOps |
| Neo4j Password | 365 days | 2025-03-01 | 2026-03-01 | DevOps |
| Firebase Admin SDK | As needed | 2024-10-15 | - | Tech Lead |
| n8n API Token | 180 days | 2025-10-01 | 2026-04-01 | DevOps |
Rotation Procedure:
# 1. Generate new key in platform (OpenAI, Anthropic, etc.)
# 2. Add to Secret Manager
gcloud secrets versions add OPENAI_API_KEY \
--data-file=new-key.txt \
--project altsportsdata-102243
# 3. Verify new version
gcloud secrets versions list OPENAI_API_KEY
# 4. Redeploy service (picks up latest automatically)
./deploy-all.sh # Option 2
# 5. Test new key works
curl https://api.altsportsleagues.ai/health
# 6. Deactivate old key in platform (OpenAI dashboard)
# 7. Document rotation in 1Passwordπ Network & Firewall Configuration
Cloudflare Firewall Rules
Active Rules:
Rule Configuration:
-
Rate Limiting
- api.altsportsleagues.ai: 100 requests/minute per IP
- altsportsleagues.ai: 500 requests/minute per IP
- docs.altsportsleagues.ai: No limit (static content)
-
Geo-Blocking (if enabled)
- Block high-risk countries (based on analytics)
- Allow-list known VPN IPs for remote team
-
Bot Management
- JavaScript challenge for suspected bots
- Allow verified bots (Google, Bing crawlers)
- Block known malicious bots
-
WAF Rules
- SQL injection protection
- XSS prevention
- Path traversal blocking
- OWASP Top 10 protection
π Internal Monitoring Dashboards
Custom Dashboard Links
Google Cloud:
- Cloud Run Dashboard (opens in a new tab)
- Logs Explorer (opens in a new tab)
- Metrics Explorer (opens in a new tab)
- Secret Manager (opens in a new tab)
Vercel:
- Frontend Dashboard (opens in a new tab)
- Docs Dashboard (opens in a new tab)
- Analytics (opens in a new tab)
Databases:
- Neo4j Console (opens in a new tab)
- Supabase Dashboard (opens in a new tab)
- Firebase Console (opens in a new tab)
Automation:
π§ Advanced Configuration
Cloud Build Trigger Configuration
GitHub Integration:
# cloudbuild-trigger.yaml (internal reference)
name: altsportsleagues-backend-deploy
description: Auto-deploy backend on main branch push
trigger:
github:
owner: altsportsleagues
name: backend
push:
branch: ^main$
build:
steps:
- name: 'gcr.io/cloud-builders/docker'
args: ['build', '-t', 'gcr.io/altsportsdata-102243/altsportsleagues-backend', '.']
- name: 'gcr.io/cloud-builders/docker'
args: ['push', 'gcr.io/altsportsdata-102243/altsportsleagues-backend']
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
entrypoint: gcloud
args:
- 'run'
- 'deploy'
- 'altsportsleagues-backend'
- '--image=gcr.io/altsportsdata-102243/altsportsleagues-backend'
- '--region=us-central1'
- '--platform=managed'
timeout: 1200s
options:
machineType: 'E2_HIGHCPU_8'VPC Connector (If Using Private Resources)
# Create VPC connector for private database access
gcloud compute networks vpc-access connectors create altsportsleagues-connector \
--network default \
--region us-central1 \
--range 10.8.0.0/28
# Update Cloud Run to use connector
gcloud run services update altsportsleagues-backend \
--vpc-connector altsportsleagues-connector \
--vpc-egress all-traffic \
--region us-central1Network Diagram:
π¨ Emergency Contacts & Procedures
π«
Emergency Response Team
Incident Response
| Role | Name | Contact | Responsibility |
|---|---|---|---|
| Tech Lead | (Your Name) | tech-lead@altsportsdata.com | Architecture, Backend |
| DevOps | (DevOps Name) | devops@altsportsdata.com | Infrastructure, Deployment |
| Frontend Lead | (Frontend Name) | frontend@altsportsdata.com | Frontend, UI/UX |
| On-Call | Rotation | oncall@altsportsdata.com | 24/7 Incident Response |
Escalation Path
Incident Response Playbook:
- Detect - Monitoring alert or user report
- Assess - Determine severity (P0-P3)
- Alert - Notify appropriate team members
- Mitigate - Immediate action to reduce impact
- Investigate - Root cause analysis
- Fix - Implement permanent solution
- Document - Post-mortem report
- Improve - Prevent recurrence
π° Internal Cost Tracking
Monthly Cost Breakdown (Actual)
Current Month Spending:
Google Cloud Platform:
ββ Cloud Run: $23.45
ββ Cloud Storage: $2.15
ββ Cloud Logging: $5.30
ββ Networking (egress): $1.20
ββ Total GCP: $32.10
Vercel:
ββ Pro Plan: $20.00
ββ Bandwidth Overage: $0.00
ββ Total Vercel: $20.00
Databases:
ββ Neo4j AuraDB: $65.00
ββ Supabase Pro: $25.00
ββ Firebase: $8.45
ββ Total Databases: $98.45
Other Services:
ββ Cloudflare: $0.00 (Free)
ββ n8n Cloud: $20.00
ββ Domain (GoDaddy): $1.25/month
ββ Total Other: $21.25
ββββββββββββββββββββββββ
TOTAL MONTHLY: $171.80Cost Optimization Opportunities:
- β Already using scale-to-zero (Cloud Run)
- β Already on Cloudflare free tier
- β οΈ Neo4j could be optimized with better query patterns
- β οΈ Consider committed use discounts for GCP (save 37%)
π Internal Analytics & Business Intelligence
Real Usage Metrics (Last 30 Days)
API Request Distribution:
| Endpoint | Share |
|---|---|
| GET /v1/leagues | 45% |
| GET /v1/teams | 25% |
| GET /v1/players | 15% |
| POST /v1/process-questionnaire | 8% |
| Other endpoints | 7% |
User Geographic Distribution:
| Region | Share |
|---|---|
| United States | 60% |
| Canada | 15% |
| Europe | 12% |
| Asia | 8% |
| Other | 5% |
Traffic Patterns:
Peak Hours: 12PM-6PM EST
Lowest Traffic: 11PM-8AM EST
Best Deploy Window: 10PM-11PM EST (Sunday-Thursday)
π Security Reminder
- β Never share this page externally
- β Never commit credentials to Git
- β Never send secrets via email/Slack
- β Always use Secret Manager for production
- β Always rotate keys on schedule
- β Always use 2FA on all accounts
- β Always document access changes