Phase 1 -- External Resources Provisioning -- Exports
Resources, identifiers, and values produced by Phase 1 that are consumed by later phases or by external operators. Phase 1’s outputs are exclusively typed code references and operational documentation; no AWS CloudFormation stack exports are produced (Phase 1 deploys no stacks).
TypeScript exports from platform/
Section titled “TypeScript exports from platform/”These are the typed constants downstream phases import. After Phase 1, no other code in the infrastructure repository should construct equivalent op:// strings inline; consumers import the constants below.
From infrastructure/src/main/cdk/platform/postmark-service.ts
Section titled “From infrastructure/src/main/cdk/platform/postmark-service.ts”| Export | Shape | Value | Consumer |
|---|---|---|---|
PostmarkAccount (type) | { name: string; credentialReference: string } | — | Type used by all Postmark account references throughout the project. |
POSTMARK_PROD_ACCOUNT | PostmarkAccount | { name: "PostmarkProd", credentialReference: "op://Arda-SystemsOAM/Postmark-Prod/credential" } | Phase 3 (Free Kanban Tool Postmark thin-wrapper); Phase 4 (Alpha001 partition-email stack); drift workflow. |
POSTMARK_NONPROD_ACCOUNT | PostmarkAccount | { name: "PostmarkNonProd", credentialReference: "op://Arda-SystemsOAM/Postmark-NonProd/credential" } | Phase 4 (Alpha002 partition-email stack); drift workflow; integration-test paths. |
POSTMARK_ACCOUNT_API_BASE_URL | string | "https://api.postmarkapp.com" | Phase 3 thin-wrappers; drift workflow; any future Postmark Account API consumer. |
POSTMARK_PLAN | string | "Platform" | Drift workflow’s plan-attribute assertion (deferred per specification.md § Open Questions); documentation cross-references. |
POSTMARK_API_SURFACE | { freshnessDate: string; observationsNotePath: string } | freshness date + path to the API observations note | Drift workflow’s surface-freshness reminder (informational); documentation. |
From infrastructure/src/main/cdk/platform/one-password.ts
Section titled “From infrastructure/src/main/cdk/platform/one-password.ts”| Export | Shape | Value | Consumer |
|---|---|---|---|
OAM_VAULT | string | "Arda-SystemsOAM" | Every typed item reference; any future direct vault enumeration. |
OnePasswordItem (type) | { vault: string; title: string; primaryField: string; reference: string } | — | Type used by all 1Password item references. |
POSTMARK_PROD_ITEM | OnePasswordItem | { vault: "Arda-SystemsOAM", title: "Postmark-Prod", primaryField: "credential", reference: "op://Arda-SystemsOAM/Postmark-Prod/credential" } | Phase 3, Phase 4, drift workflow (forward-references). |
POSTMARK_NONPROD_ITEM | OnePasswordItem | analogous for Postmark-NonProd | Phase 4 (Alpha002), drift workflow, integration-test paths. |
IAC_SCRIPTS_SERVICE_ACCOUNT_ITEM | OnePasswordItem | analogous for IAC-SCRIPTS Service Account Token | Local-dev operator scripts; drift workflow’s smoke-resolution; CI workflows authenticated via OP_SERVICE_ACCOUNT_TOKEN. |
Phase 1 declares only the three items it provisions (
Postmark-Prod,Postmark-NonProd,IAC-SCRIPTS Service Account Token, all inArda-SystemsOAM). The Free Kanban Tool’s Postmark server token — created by Phase 3’s Corporate CLI — has its own typed reference introduced in Phase 3, pointing at a separate vault (Arda-CorporateOAM) perDQ-R1-007.
Consumption pattern
Section titled “Consumption pattern”Downstream phases import the typed constants:
// Phase 3 example -- Free Kanban Tool stackimport { POSTMARK_PROD_ACCOUNT, POSTMARK_ACCOUNT_API_BASE_URL,} from "arda/platform/postmark-service";// FREE_KANBAN_POSTMARK_ITEM is introduced by Phase 3 (separate vault per DQ-R1-007),// not Phase 1.The arda/... import alias is the existing repo convention for infrastructure/src/main/cdk/....
External resources Phase 1 makes addressable
Section titled “External resources Phase 1 makes addressable”Phase 1 does not own these resources (they are external to the repository), but it captures a typed addressing path to each.
Postmark accounts
Section titled “Postmark accounts”| Resource | Operator surface | Programmatic surface |
|---|---|---|
| PostmarkProd account | Postmark Console (operator login) | POSTMARK_PROD_ACCOUNT.credentialReference resolved via 1Password SDK |
| PostmarkNonProd account | Postmark Console | POSTMARK_NONPROD_ACCOUNT.credentialReference resolved via 1Password SDK |
Postmark account-level API authentication uses the X-Postmark-Account-Token HTTP header per Postmark’s documented authentication model.
1Password vault and items
Section titled “1Password vault and items”| Resource | Path | Consumer |
|---|---|---|
Arda-SystemsOAM vault | OAM_VAULT | All credential resolution |
Postmark-Prod item, credential field | POSTMARK_PROD_ITEM.reference | Phase 3 / Phase 4 / drift |
Postmark-NonProd item, credential field | POSTMARK_NONPROD_ITEM.reference | Phase 4 / drift / integration tests |
IAC-SCRIPTS Service Account Token item, credential field | IAC_SCRIPTS_SERVICE_ACCOUNT_ITEM.reference | Local-dev + CI |
GitHub Actions secret
Section titled “GitHub Actions secret”| Secret | Repository | Consumer |
|---|---|---|
OP_SERVICE_ACCOUNT_TOKEN | Arda-cards/infrastructure | Every CI workflow that needs to resolve a 1Password reference |
Operational documentation produced
Section titled “Operational documentation produced”Pages added to the documentation repository under current-system/oam/postmark-service/:
| Path | Purpose | Audience |
|---|---|---|
index.md | Postmark service overview | Operators; future implementors |
postmark-api-observations.md | Postmark API design-intent note (~3 pages); cross-links to Postmark official docs | Future implementors of Phase 3 thin-wrappers and the Phase 5b L1 proxies |
operator-runbook.md | Manual external-resource provisioning runbook with troubleshooting + sign-off | Operators provisioning Postmark accounts and 1Password items |
Workflow surfaces
Section titled “Workflow surfaces”| Workflow | Repository | Trigger | Consumer |
|---|---|---|---|
external-resources-drift.yml (final filename TBD per specification.md § OQ-1) | Arda-cards/infrastructure | schedule (monthly) and workflow_dispatch | Operators (via the auto-issue on failure) |
Removed surfaces
Section titled “Removed surfaces”| Surface | Removed because | Migration path |
|---|---|---|
The parser-gated operator runbook (HUMAN-STEPS.md) from the prior Phase-0 implementation | The orchestrator that parsed it is being restructured (becomes Phase 3’s Corporate CLI); operator sign-off is captured in the canonical runbook in documentation instead. | Operators follow the new operator-runbook.md and sign off there. |
| The TypeScript module that parsed the prior runbook | Same reason. | None — the gate is retired entirely. |
What Phase 1 does not export
Section titled “What Phase 1 does not export”For clarity, Phase 1 does not produce:
- AWS CloudFormation stack outputs (no CDK stacks deployed).
- AWS Secrets Manager entries (Phase 4 populates per-partition Postmark account-token secrets and per-partition encryption-key secrets from the references Phase 1 declares).
- Helm chart contributions (Phase 5b).
- API endpoints (Phase 5b).
- Postmark server resources (Phase 3 for Free Kanban Tool; Phase 4 / Phase 5b for partition tenants).
Copyright: © Arda Systems 2025-2026, All rights reserved