| name | deploy-guardian-aws |
| description | Deploy, update, inspect, and troubleshoot the repository AWS ECS environment using `scripts/aws-deploy.sh` and Terraform in `infra/`. Use when Codex needs to verify AWS auth, run the repo deploy script, reason about ECR, ECS, ALB, CloudWatch, RDS, Secrets Manager, Route 53, ACM, or Cloudflare deployment variables before changing infrastructure. |
Deploy AWS Stack
Read the current source of truth at the start of every task:
docs/SERVER_AWS_DEPLOY.mddocs/PRODUCTION.mddocs/architecture/infra.mddocs/runbooks/secrets.mdscripts/aws-deploy.shinfra/variables.tfinfra/terraform.tfvars.example- the relevant
infra/*.tf files for the behavior being changed
Trust these sources in this order:
scripts/aws-deploy.sh for supported commands, flags, and shell env varsinfra/*.tf and infra/variables.tf for actual Terraform behaviordocs/SERVER_AWS_DEPLOY.md and infra/README.md for operator workflow
When deployment commands, Terraform variables, secret names, DNS behavior, runtime defaults, or supported stack topology change, update the matching operator docs in the same task. Use the Documentation Impact Check in AGENTS.md to avoid stale deploy guidance.
Preflight
- Verify AWS identity, Docker, and Terraform:
aws sts get-caller-identity
docker info
terraform version
- Load repo env when the deployment expects values from
.env:
set -a && source .env && set +a
- If the environment uses AWS SSO plus an assumed role, refresh SSO, export temporary credentials, and verify them before deploy commands.
- Run
terraform -chdir=infra output or ./scripts/aws-deploy.sh status before the first mutating command in a session.
Primary Commands
- Normal deploy:
./scripts/aws-deploy.sh deploy
- Create the prod ACK secrets once:
./scripts/aws-deploy.sh bootstrap-ack-keys
- Infra or runtime update without rebuilding the image:
./scripts/aws-deploy.sh deploy --skip-build
- Outputs and URLs:
./scripts/aws-deploy.sh status
- Server logs:
./scripts/aws-deploy.sh logs
- Destroy:
./scripts/aws-deploy.sh cleanup
Prefer the deploy script over raw terraform apply and terraform destroy unless the task is explicitly about Terraform debugging or plan inspection.
Current Deployment Model
- The AWS stack is RDS-backed. There is no supported
database_mode or legacy ECS Postgres path anymore.
./scripts/aws-deploy.sh deploy provisions or updates the ECS server service, the RDS instance, and the Secrets Manager DATABASE_URL wiring../scripts/aws-deploy.sh bootstrap-ack-keys is the create-only command for the prod Falcon/ECDSA ack key secrets used by prod.- The deploy script resolves the ECR
latest tag to an immutable digest before calling Terraform, so a new image push should produce a new ECS task-definition revision even if the repo tag stays latest.
- The deploy script keeps separate local Terraform state files per
STACK_NAME and DEPLOY_STAGE, using infra/terraform.<stack>.<stage>.tfstate by default.
- If an older local state still exists at
infra/terraform.tfstate, handle that move explicitly instead of relying on the script to migrate it.
- Do not tell the user to preserve or re-enable the retired Postgres ECS or Cloud Map resources.
- If the task involves an old stack that still has ECS-hosted Postgres data, treat it as an operator-managed cutover outside the steady-state Terraform design.
Variable Discipline
Use the deploy script env vars for the normal workflow:
AWS_REGIONCPU_ARCHITECTURESTACK_NAMEDEPLOY_STAGETF_STATE_PATHDOMAIN_NAMESUBDOMAINACM_CERTIFICATE_ARNROUTE53_ZONE_IDCLOUDFLARE_ZONE_IDCLOUDFLARE_API_TOKENCLOUDFLARE_PROXIEDGUARDIAN_NETWORK_TYPEGUARDIAN_CORS_ALLOWED_ORIGINSGUARDIAN_OPERATOR_PUBLIC_KEYS_JSONGUARDIAN_OPERATOR_PUBLIC_KEYS_SECRET_ARNGUARDIAN_EVM_CHAIN_CONFIG_FILEGUARDIAN_EVM_ALLOWED_CHAIN_IDSGUARDIAN_EVM_ALLOWED_CHAIN_IDS_SECRET_ARNGUARDIAN_EVM_RPC_URLSGUARDIAN_EVM_RPC_URLS_SECRET_ARNGUARDIAN_EVM_ENTRYPOINT_ADDRESS
Use TF_VAR_* only for Terraform variables that the script does not map directly, such as:
TF_VAR_cluster_nameTF_VAR_server_service_nameTF_VAR_alb_nameTF_VAR_vpc_idTF_VAR_subnet_idsTF_VAR_postgres_dbTF_VAR_postgres_userTF_VAR_postgres_passwordTF_VAR_rds_instance_classTF_VAR_rds_allocated_storageTF_VAR_rds_max_allocated_storageTF_VAR_rds_engine_versionTF_VAR_rds_backup_retention_daysTF_VAR_rds_deletion_protectionTF_VAR_rds_skip_final_snapshotTF_VAR_rds_publicly_accessibleTF_VAR_rds_proxy_enabledTF_VAR_server_desired_countTF_VAR_server_autoscaling_enabledTF_VAR_server_autoscaling_min_capacityTF_VAR_server_autoscaling_max_capacityTF_VAR_server_autoscaling_cpu_targetTF_VAR_server_autoscaling_memory_targetTF_VAR_guardian_rate_burst_per_secTF_VAR_guardian_rate_per_minTF_VAR_guardian_operator_public_keysTF_VAR_guardian_operator_public_keys_secret_arnTF_VAR_guardian_db_pool_max_sizeTF_VAR_guardian_metadata_db_pool_max_sizeTF_VAR_alb_ingress_cidrsTF_VAR_log_retention_days
Treat these as stale or conditional:
- legacy network env naming is stale; use
GUARDIAN_NETWORK_TYPE
DEPLOY_STAGE=dev keeps the stack close to the current fixed-capacity profileDEPLOY_STAGE=prod enables ECS autoscaling, RDS storage autoscaling, RDS Proxy, larger default RDS sizing, and benchmark-oriented runtime defaultsCPU_ARCHITECTURE=X86_64 preserves the current amd64 deployment behaviorCPU_ARCHITECTURE=ARM64 is the native build path on Apple Silicon and usually much faster locally, but it changes the ECS task definition runtime architecture too- set
STACK_NAME only when the deployment should preserve non-default resource names
AWS_PROFILE is only needed for the initial SSO or assume-role step if temporary credentials are exported afterwardSTS_CMD is only a temporary shell helper and can be unset after exporting credentialsCLOUDFLARE_ZONE_ID without CLOUDFLARE_API_TOKEN is invalid for Terraform-managed Cloudflare DNSROUTE53_ZONE_ID is only needed if Terraform should create the AWS Route 53 record; current Terraform does not auto-discover the zoneDATABASE_MODE is stale and should not appear in commands or advice- old ECS Postgres naming overrides such as
TF_VAR_postgres_service_name, TF_VAR_sd_namespace_name, TF_VAR_postgres_task_family, and TF_VAR_postgres_log_group_name are stale and should not be used
Validation
After every deploy:
- run
./scripts/aws-deploy.sh status
- verify the root URL and
/pubkey
- verify the gRPC endpoint when HTTPS is enabled
- verify the running ECS task definition or image reference when the task is specifically about image rollout or stale containers
- note the RDS endpoint,
database_url_secret_arn, and the ack secret names
- note whether the server is using direct RDS or the RDS Proxy endpoint
- note whether the active URL is the ALB DNS name or the custom domain
- record the AWS account, region, network type, and DNS mode used
Output Shape
Default to giving the user the exact commands to run for the requested deployment task.
- Prefer one short ordered command sequence over a prose-heavy explanation
- Include
export lines only for variables that matter for the requested task
- If the needed deploy vars are already stored in
.env, prefer set -a && source .env && set +a over repeating individual export lines
- Omit stale or unnecessary variables
- Use placeholders only for secrets or values the user has not provided
- If the task is risky or destructive, separate inspection commands from mutating commands
Reporting
Report:
- the exact commands the user should run
- commands run
- auth mode used
- env vars and
TF_VAR_* overrides used
- Terraform outputs that changed
- health checks performed
- blockers found between state, docs, and Terraform code
- docs checked or updated
