Set up AWS infrastructure for Astrolock sites

AWS Infrastructure with Terraform

Set up production AWS infrastructure: S3, CloudFront CDN, SSL certificates, and DNS.

                    ┌─────────────────┐
                    │   CloudFront    │
    User ──HTTPS──▶ │   Distribution  │
                    │   (CDN + SSL)   │
                    └────────┬────────┘
                             │ OAC
                             ▼
                    ┌─────────────────┐
                    │    S3 Bucket    │
                    │   (Private)     │
                    └─────────────────┘

Prerequisites

Important

Complete AWS Backend Setup first (one-time per AWS account).

Required:

Terraform >= 1.0 and AWS CLI v2: brew install terraform awscli
Site provisioner IAM user with credentials configured
Domain name with DNS access (Route53 zone ID if using Route53)

Quick Setup

# 1. Create site config
mkdir -p .astrolock/infra/aws/sites
cat > .astrolock/infra/aws/sites/mysite.tfvars << 'EOF'
site_name    = "mysite"
domain_name  = "mysite.example.com"
alternative_domain_names = ["example.com"]  # Optional apex domain
create_route53_records = true               # If using Route53
route53_zone_id = "Z1234567890ABC"          # If using Route53
EOF

# 2. Initialize and create infrastructure
cd terraform/astrolock_site
export AWS_PROFILE=astrolock-sites-provisioner
export ASTROLOCK_SITE_CONFIG=../../.astrolock/infra/aws/sites/mysite.tfvars

make bootstrap-init    # Init with local state
make plan              # Preview
make bootstrap-apply   # Create (takes ~30 min for SSL)

# 3. Migrate to remote state
make migrate-state     # Answer 'yes' to copy state

# 4. Generate deployer package
make deployer-package  # Creates mysite-deployer-package.md

# 5. Manual DNS (if NOT using Route53)
make output            # Get DNS records to create

Tip

Use descriptive config names: production.tfvars, staging.tfvars. Each site needs its own file.

Warning

Share deployer package securely - Contains AWS credentials. Deployer follows package instructions to configure AWS and deploy with astrolock deploy live --execute.

Day-to-Day Management

# Set environment once
export AWS_PROFILE=astrolock-sites-provisioner
export ASTROLOCK_SITE_CONFIG=../../.astrolock/infra/aws/sites/mysite.tfvars

cd terraform/astrolock_site
make plan          # Preview changes
make apply         # Apply changes
make info          # View site info
make invalidate    # Clear CloudFront cache

Tip

Create aliases: alias tf-prod='export ASTROLOCK_SITE_CONFIG=../../.astrolock/infra/aws/sites/production.tfvars'

Multiple Environments

Create separate .tfvars files: staging.tfvars, production.tfvars. Run setup for each, then manage with different ASTROLOCK_SITE_CONFIG values.

Reference

Key Variables:

site_name, domain_name (required)
alternative_domain_names (array, optional apex domain)
create_route53_records, route53_zone_id (if using Route53)
price_class: PriceClass_100 (US/CA/EU), 200 (+Asia/Africa), All (global)

Outputs: Run terraform output or make info to view bucket, CloudFront distribution, URLs, and DNS records.

Security: Private S3, Origin Access Control, HTTPS only, TLS 1.2+, AES256 encryption, versioning enabled.

Cost: ~$1.40/month for typical site (1GB, 10k views). ACM certificates are free.

# WARNING: Permanent deletion
aws s3 rm s3://$(terraform output -raw s3_bucket_name) --recursive
terraform destroy

Troubleshooting

Certificate validation stuck: Check terraform output certificate_validation_records and create DNS records. Takes up to 30 min.
403 Access Denied: Wait 5-10 min for S3 policy propagation to CloudFront.
Old content cached: aws cloudfront create-invalidation --distribution-id $(terraform output -raw cloudfront_distribution_id) --paths "/*"
State locked: terraform force-unlock LOCK_ID
Resource exists error: terraform import aws_s3_bucket.site www.example.com