Deployment (AWS + CloudFront, GitHub Actions)

This repo deploys as a static website hosted on AWS:

• Origin: private S3 bucket
• CDN: CloudFront (OAC)
• DNS: Cloudflare (DNS-only)
• Deploy: GitHub Actions (OIDC, no long-lived AWS keys)

The build step is currently Jekyll. The deploy workflow calls scripts/build_site.sh, so switching generators later is one file change.

One-time setup

1) Create Terraform remote state

1. Choose an AWS region (example: us-west-2).
2. Apply infra/terraform/bootstrap/ (see its README).

2) Create the site infrastructure

1. Export a Cloudflare API token for Terraform:

   export CLOUDFLARE_API_TOKEN="..."
   

2. Configure Terraform backend and variables:
   • Create infra/terraform/site/backend.hcl from infra/terraform/site/backend.hcl.example.
   • Create infra/terraform/site/terraform.tfvars from infra/terraform/site/terraform.tfvars.example.

3. Apply:

   cd infra/terraform/site
   terraform init -backend-config=backend.hcl
   terraform apply
   

Ephemeral AWS credentials (recommended)

GitHub Actions already uses ephemeral AWS credentials via OIDC. For local Terraform, use either AWS SSO or aws-vault.

Option A: AWS SSO profile

1. Create an SSO profile (one-time):

   aws configure sso --profile doomscrollingdenied-admin
   

2. Start a temporary SSO session:

   aws sso login --profile doomscrollingdenied-admin
   export AWS_PROFILE=doomscrollingdenied-admin
   export AWS_SDK_LOAD_CONFIG=1
   export AWS_REGION=us-west-2
   export AWS_DEFAULT_REGION=us-west-2
   

3. Run Terraform:

   cd infra/terraform/site
   terraform init -backend-config=backend.hcl
   terraform plan -var-file=terraform.tfvars
   terraform apply -var-file=terraform.tfvars
   

Troubleshooting SSO:

• Ensure AWS CLI v2 is installed (SSO is v2-only).
• Verify the session works:

  aws sts get-caller-identity --profile doomscrollingdenied-admin
  

• If Terraform says it cannot find credentials, make sure AWS_SDK_LOAD_CONFIG=1 is set.
• If it says “region is missing”, set both AWS_REGION and AWS_DEFAULT_REGION.
• If it prompts for a different SSO region, confirm your profile has sso_region and sso_start_url set.

Docker with SSO profile:

docker run --rm -it \
  -v "$PWD:/data" \
  -v "$HOME/.aws:/root/.aws:ro" \
  -w /data/infra/terraform/site \
  -e AWS_PROFILE=doomscrollingdenied-admin \
  -e AWS_SDK_LOAD_CONFIG=1 \
  -e AWS_REGION=us-west-2 \
  -e CLOUDFLARE_API_TOKEN \
  hashicorp/terraform:latest plan -var-file=terraform.tfvars

Option B: aws-vault

Run Terraform directly with short-lived credentials:

aws-vault exec doomscrollingdenied-admin -- \
  terraform -chdir=infra/terraform/site plan -var-file=terraform.tfvars

Docker with aws-vault-issued environment credentials:

aws-vault exec doomscrollingdenied-admin -- \
  docker run --rm -it \
    -v "$PWD:/data" \
    -w /data/infra/terraform/site \
    -e AWS_ACCESS_KEY_ID \
    -e AWS_SECRET_ACCESS_KEY \
    -e AWS_SESSION_TOKEN \
    -e AWS_REGION=us-west-2 \
    -e CLOUDFLARE_API_TOKEN \
    hashicorp/terraform:latest plan -var-file=terraform.tfvars

GitHub Actions configuration

After terraform apply, set these in your GitHub repo:

• Secret: AWS_ROLE_ARN (Terraform output: deploy_role_arn)
• Variables:
  • AWS_REGION (your aws_region value)
  • S3_BUCKET (Terraform output: site_bucket_name)
  • CLOUDFRONT_DISTRIBUTION_ID (Terraform output: cloudfront_distribution_id)

Deploy workflow: .github/workflows/deploy.yml

Cutover away from GitHub Pages

1. Confirm the domain resolves to CloudFront (Terraform creates the Cloudflare DNS records).
2. Disable GitHub Pages for this repo (set Pages source to “None”).

Editing content

• Landing page copy: _data/home.yml
• Landing page structure/styling: index.html
• Privacy policy (Markdown source): privacy-policy.md
  • Jekyll outputs: /privacy-policy.html

To add another Markdown page:

1. Create a new *.md file with front matter like:

   ---
   layout: page
   title: Your Title
   permalink: /your-page.html
   ---
   

2. Write the content in Markdown below it.