New Environment Setup¶
Prerequisites¶
- AWS account with appropriate permissions
- Pulumi CLI installed
- AWS CLI configured
- A domain name for your services
Quick Start¶
1. Install prerequisites¶
2. Authenticate¶
3. Set up Pulumi state backend¶
Create an S3 bucket and KMS key:
aws s3 mb s3://my-pulumi-state
aws kms create-alias --alias-name alias/pulumi-secrets \
--target-key-id $(aws kms create-key --query KeyMetadata.KeyId --output text)
pulumi login s3://my-pulumi-state
4. Create and deploy¶
cd infra
pulumi stack init my-org --secrets-provider="awskms://alias/pulumi-secrets"
cp ../Pulumi.example.yaml ../Pulumi.my-org.yaml
# Edit Pulumi.my-org.yaml with your values
pulumi up
First deploy creates ~200+ AWS resources and takes about 15-20 minutes.
5. Secrets¶
For production stacks, set up API keys:
For dev environments, secrets are automatically shared from staging — no manual seeding needed.
6. Your services¶
After deployment, your services are available at:
- API:
https://api.hawk.<domain> - Viewer:
https://viewer.hawk.<domain> - Middleman:
middleman-ecs.<domain>
7. View API logs¶
aws logs tail "$(pulumi stack output api_log_group_name)" \
--region us-west-2 --since 30m --format short | grep -v /health
Dev Environments¶
For development, create lightweight environments that share staging infrastructure:
The script configures the stack and prompts to deploy. Your dev environment shares staging's VPC, ALB, and EKS cluster while getting its own database and services.
See Deployment for more details on managing dev environments.
Tailscale VPN Setup¶
If using Tailscale for private service access:
- Pick an IPv4 CIDR that doesn't conflict with existing ranges (e.g.,
10.13.0.0/16) - Add the CIDR to your Tailscale ACL rules
- Add a custom nameserver for
<environment>.<your-domain>pointing to the CIDR's DNS resolver (e.g.,10.13.0.2) - Set
hawk:albInternal: "true"in your stack config - Store a Tailscale auth key in AWS Secrets Manager
- Deploy with
pulumi up