Infrastructure as Code and AWS

Posted by Tom's notes on Friday, August 3, 2018


On a recent project, I had the opportunity to try a number of different approaches to setting up an api and some static js on AWS. I had a desire to make the environment setup as repeatable as possible, and to make use of as many of the AWS features as possible to simplify our processes. The below are some notes on the setup I landed on, as well as some terraform snippets that may be helpful (terraform is improving rapidly, so there will most likely be newer/better ways to do some of these things)

Cloudfront and S3

As long as you don’t have overly complex routing or security requirements using Cloudfront in front of S3 is a really nice way to host static assets. Cloudfront allows you to limit access to the s3 bucket to just the Cloudfront origin, as well as providing a convenient place to terminate ssl that integrates nicely with the AWS certificate manager.

The above gist shows how you can setup route53, cloudfront, and an s3 bucket for hosting a static site. The http verbs and access in general can be locked down as needed. One minor annoyance currently, is that there is not an easy way to set Content-Security-Policy within cloudfront, however AWS has a pretty slick solution using Lambda@Edge. There are some great blogs and docs about this, but below is what I used.


On the API side of things the simplest approach on AWS is to use ECS. There are a variety of ways to do this, but the nicest from my perspective is to terminate SSL at the Load Balancer, which again allows you to easily make use of AWS certificate manager and minimize the configuration required.