Skip to content

AWS

AWS hosts tomoda's static asset layer and nothing else. Everything is in a single region — ap-northeast-1 (Tokyo) — and the surface area is intentionally tiny: an S3 bucket per environment, a CloudFront distribution in front of it, an ACM certificate for the custom domain, and two IAM users (one for the backend uploader, one for External Secrets Operator). All compute, all data stores, and all secrets management live on GCP; AWS exists purely to serve bytes from an edge cache.

  • Overview

    Region choice, resource inventory, environments, Terraform workspaces, and known cleanup items.

  • S3

    tomoda-assets-dev and tomoda-assets-prod. Private buckets, OAC-only read access, AWS-managed encryption.

  • CloudFront

    Global CDN distributions for assets.tomoda.life and assets-dev.tomoda.life. TLSv1.2_2021, PriceClass_All.

  • ACM

    Per-env certs in us-east-1 for CloudFront, DNS-validated via Cloudflare CNAMEs.

  • IAM

    tomoda-uploader-{env} (PutObject-only) and tomoda-eso-reader-{env} (Secrets Manager reader).

For how AWS fits into the wider request path — Cloudflare DNS at the edge, CloudFront for assets, Traefik on GKE for everything else — see the Cloudflare page.