Type something to search...
to navigateto selectESC to close

Site Provisioning

Create S3, CloudFront, and SSL infrastructure for each site

Site Provisioning

Create AWS infrastructure for each Astrolock site: S3 bucket, CloudFront CDN, SSL certificate, DNS.

Warning

Prerequisite: Complete Backend Setup first.

You’ll need:

  • Terraform >= 1.0 and AWS CLI v2
  • Site provisioner credentials (from backend setup)
  • Domain name (Route53 zone ID if using AWS DNS)

Quick Setup

# 1. Create site config
mkdir -p .astrolock/infra/aws/sites
cat > .astrolock/infra/aws/sites/mysite.tfvars << 'EOF'
site_name    = "mysite"
domain_name  = "mysite.example.com"
alternative_domain_names = ["example.com"]  # Optional apex domain
create_route53_records = true               # If using Route53
route53_zone_id = "Z1234567890ABC"          # If using Route53
EOF

# 2. Initialize and create infrastructure
cd terraform/astrolock_site
export AWS_PROFILE=astrolock-sites-provisioner
export ASTROLOCK_SITE_CONFIG=../../.astrolock/infra/aws/sites/mysite.tfvars

make bootstrap-init    # Init with local state
make plan              # Preview
make bootstrap-apply   # Create (takes ~30 min for SSL)

# 3. Migrate to remote state
make migrate-state     # Answer 'yes' to copy state

# 4. Generate deployer package
make deployer-package  # Creates mysite-deployer-package.md

# 5. Manual DNS (if NOT using Route53)
make output            # Get DNS records to create

Tip

Use descriptive config names: production.tfvars, staging.tfvars. Each site needs its own file.

Warning

Share deployer package securely - Contains AWS credentials. Deployer follows package instructions to configure AWS and deploy with astrolock deploy live --execute.

Day-to-Day Management

# Set environment once
export AWS_PROFILE=astrolock-sites-provisioner
export ASTROLOCK_SITE_CONFIG=../../.astrolock/infra/aws/sites/mysite.tfvars

cd terraform/astrolock_site
make plan          # Preview changes
make apply         # Apply changes
make info          # View site info
make invalidate    # Clear CloudFront cache

Tip

Create aliases: alias tf-prod='export ASTROLOCK_SITE_CONFIG=../../.astrolock/infra/aws/sites/production.tfvars'

Multiple Environments

Create separate .tfvars files: staging.tfvars, production.tfvars. Run setup for each, then manage with different ASTROLOCK_SITE_CONFIG values.

Reference

Key Variables:

  • site_name, domain_name (required)
  • alternative_domain_names (array, optional apex domain)
  • create_route53_records, route53_zone_id (if using Route53)
  • price_class: PriceClass_100 (US/CA/EU), 200 (+Asia/Africa), All (global)

Outputs: Run terraform output or make info to view bucket, CloudFront distribution, URLs, and DNS records.

Security: Private S3, Origin Access Control, HTTPS only, TLS 1.2+, AES256 encryption, versioning enabled.

Cost: ~$1.40/month for typical site (1GB, 10k views). ACM certificates are free.

 
# WARNING: Permanent deletion
aws s3 rm s3://$(terraform output -raw s3_bucket_name) --recursive
terraform destroy

Troubleshooting

  • Certificate validation stuck: Check terraform output certificate_validation_records and create DNS records. Takes up to 30 min.
  • 403 Access Denied: Wait 5-10 min for S3 policy propagation to CloudFront.
  • Old content cached: aws cloudfront create-invalidation --distribution-id $(terraform output -raw cloudfront_distribution_id) --paths "/*"
  • State locked: terraform force-unlock LOCK_ID
  • Resource exists error: terraform import aws_s3_bucket.site www.example.com