ADR-0006 · 2026-04-26 · Accepted
Production domain: clientes.imaquinaria.cl
Path structure under the same domain, to eliminate CORS entirely and use a single SSL certificate:
clientes.imaquinaria.cl → frontend (S3 + CloudFront)clientes.imaquinaria.cl/api → API Gateway (via CloudFront behavior)The SSL certificate must be created in ACM region us-east-1, a CloudFront requirement independent of the deployment region.
Runtime: python3.13. Memory: 512 MB — reduces cold start latency with FastAPI + boto3 + pydantic dependencies. Timeout: 30s, sufficient for all endpoints including stats with multiple DynamoDB queries.
The memory configuration was subject to review with real post-deploy metrics. Production metrics (p50 ~117 ms on Lambda, cold start rate 0.7%) confirmed that 512 MB is correct.
Stored in SSM Parameter Store as String (not SecureString). Backend variables (TABLE_NAME, Cognito IDs, URLs) are identifiers, not sensitive secrets — they do not grant access on their own.
Future decision: migrate to SecureString before onboarding the first external tenant. Requires no code changes, only template and SSM value updates.
CloudWatch retention: 30 days. Sufficient for operational debugging without accumulating storage debt.
CloudFront acts as a proxy for both the frontend and the API, simplifying CORS and certificate management. The architecture supports multi-tenant: adding a second merchant is registering it in DynamoDB, with no infrastructure changes.