Managing AWS Keyspaces for TOT

Tani Kalweit

29 Dec 2025 — 1 min read

AWS Keyspaces and tables for the TOT namespace are managed using Terraform, orchestrated by Terragrunt. All files related to this are located in the infra folder in the TOT repository.

Key design goals:

Multiple keyspaces (e.g. tot_localhost, tot_prod) in the same AWS account
All keyspaces share the same set of tables
Adding a new table should be simple and safe
Minimize the risk of accidental deletion
Separate Terraform state per keyspace

High-Level Design

One Terraform module (modules/keyspace_schema) defines:
- a keyspace
- all tables within that keyspace (data-driven via for_each)
One Terragrunt stack per keyspace
- each keyspace has its own Terraform state
Tables are defined once in a shared catalog and applied to all keyspaces
Destructive operations are guarded with prevent_destroy

Directory Structure

infra/
├── modules/
│ └── keyspace_schema/
│ ├── main.tf
│ ├── variables.tf
│ └── outputs.tf
│
└── live/
├── terragrunt.hcl # Remote state + provider config
├── tables/
│ ├── _catalog.hcl # Aggregates all table definitions
│ ├── excise_tax_product_by_app_domain.hcl #One file for each table
│ └── order_by_ts.hcl
│
└── keyspaces/
├── tot_dev/
│ └── terragrunt.hcl
└── tot_prod/
└── terragrunt.hcl

Remote State Configuration

Terraform state is stored remotely in Amazon S3, with locking provided by DynamoDB.

This is configured in infra/live/terragrunt.hcl.

S3 State Bucket

Stores one state file per keyspace
State keys are derived from the folder path, so states never collide

Example state objects:

keyspaces/tot_dev/terraform.tfstate keyspaces/tot_prod/terraform.tfstate

DynamoDB Lock Table

Prevents concurrent Terraform operations
Required for safe team usage

Common Workflows

Adding a New Table

Add the table to an existing file under infra/live/tables/

In infra/live/tables/ create a new *.hcl file and include it in _catalog.hcl

Run:

cd infra/live/keyspaces/tot_localhost
terragrunt init
terragrunt plan
terragrunt apply

Repeat for other keyspaces when ready.

Confirm table exists in keyspace: https://ghost-tot-u35315.vm.elestio.app/ghost/#/editor/post/6952fae20ca919008356be1a

Adding a New Keyspace

Create a new folder:

infra/live/keyspaces/<keyspace_name>/

Copy an existing terragrunt.hcl and update:

keyspace_name = "<keyspace_name>"

Run:

terragrunt init
terragrunt plan
terragrunt apply

All existing tables will be created automatically.

Confirm keyspace and tables exist: https://ghost-tot-u35315.vm.elestio.app/ghost/#/editor/post/6952fae20ca919008356be1a

Approach: Improve Bot Discoverability with Search and Team Scoping

1. Global Bot Search Bar What: * Add a persistent search input at the top of the bot directory. * Search should match: * Bot name * Short description * Tags / keywords * Owner or team (optional enhancement) 2. Role-Based Bot Filtering What: * Automatically filter bots based on the user’s authenticated role, team, or department.

Browse & Search Licenses

Overview This deliverable introduces a searchable License List page within OpsConfig. The page allows operators to browse and locate licenses using substring search across key identifiers, while ensuring all sensitive data remains masked according to the ClientConfig API response rules. The feature is read-only and intended to support operational visibility

License Details (View‑Only)

Overview The License Details (View‑Only, Masked) feature provides operations users with a secure, read‑only view of license‑specific client configuration data. Configuration is fetched via the ClientConfig API and rendered exactly as returned, with all sensitive fields masked. No unmasking or editing capabilities are provided. Scope & Goals

How do you setup identity or age verification so that only certain locations need to get verified?

Answer: Use Location-Based Identity Verification. This is enabled via the locationRestrictions.requiresVerification attribute in your application configuration to define which countries and regions require verification. Summary Token of Trust now supports location-based verification requirements through the locationRestrictions configuration. This feature allows you to specify which geographic locations (countries and regions)