Name: Af Environment Infrastructure
Author: GainInsightDev

Buscar habilidades.../

Af Environment Infrastructure | Skills Pool

doppler run --project gi --config prd -- bash -c '
  AWS_ACCESS_KEY_ID=$DOMAIN_ADMIN_AWS_ACCESS_KEY_ID \
  AWS_SECRET_ACCESS_KEY=$DOMAIN_ADMIN_AWS_SECRET_ACCESS_KEY \
  AWS_DEFAULT_REGION=eu-west-2 \
  aws route53 <command>'

project-registry juncan aws        # Show AWS accounts
project-registry list              # All project keys
project-registry find-by-team JKN  # Find project by Linear team key

MUST use Doppler for all secrets. No .env files, no hardcoded credentials.
MUST use domain admin credentials for Route53 changes. Project-level IAM users typically lack Route53 permissions.

MUST assume OrganizationAccountAccessRole for cross-account admin operations when project IAM user lacks permissions:

CREDS=$(doppler run --project gi --config prd -- aws sts assume-role \
  --role-arn arn:aws:iam::{account-id}:role/OrganizationAccountAccessRole \
  --role-session-name admin-operation --output json)

MUST store new credentials in Doppler immediately after creation. Never leave credentials in terminal history or temp files.

Request ACM certificate in us-east-1:

doppler run --project {project} --config stg -- aws acm request-certificate \
  --domain-name {subdomain}.{project}.gaininsight.global \
  --validation-method DNS \
  --region us-east-1

Get validation CNAME from certificate:

doppler run --project {project} --config stg -- aws acm describe-certificate \
  --certificate-arn {arn} --region us-east-1 \
  --query "Certificate.DomainValidationOptions[0].ResourceRecord"

Add validation record using domain admin credentials:

doppler run --project gi --config prd -- bash -c '
  AWS_ACCESS_KEY_ID=$DOMAIN_ADMIN_AWS_ACCESS_KEY_ID \
  AWS_SECRET_ACCESS_KEY=$DOMAIN_ADMIN_AWS_SECRET_ACCESS_KEY \
  aws route53 change-resource-record-sets \
    --hosted-zone-id {project-zone-id} \
    --change-batch '"'"'{"Changes":[{"Action":"CREATE","ResourceRecordSet":{...}}]}'"'"''

Wait for certificate validation (2-5 minutes)
Create CloudFront distribution with certificate and custom domain alias
Add CNAME record pointing subdomain to CloudFront domain

Create hosted zone:

doppler run --project gi --config prd -- bash -c '
  AWS_ACCESS_KEY_ID=$DOMAIN_ADMIN_AWS_ACCESS_KEY_ID \
  AWS_SECRET_ACCESS_KEY=$DOMAIN_ADMIN_AWS_SECRET_ACCESS_KEY \
  aws route53 create-hosted-zone \
    --name {project}.gaininsight.global \
    --caller-reference "{project}-$(date +%s)"'

Note the 4 nameservers from the response
Add NS delegation to parent zone (Z08261483JJZ016GFVDDQ):
```
# Add NS record with the 4 nameservers
```
Store zone ID in project documentation (CLAUDE.md)

Assume OrganizationAccountAccessRole:

CREDS=$(doppler run --project gi --config prd -- aws sts assume-role \
  --role-arn arn:aws:iam::{account-id}:role/OrganizationAccountAccessRole \
  --role-session-name {operation-name} --output json)

export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r '.Credentials.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r '.Credentials.SessionToken')

Run commands with elevated permissions

Unset credentials when done:

unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN

Problem	Cause	Solution
"AccessDenied" on Route53	Using project IAM user	Use domain admin credentials
"AccessDenied" on bucket policy	Project user lacks s3:PutBucketPolicy	Assume OrganizationAccountAccessRole
ACM cert stuck pending	Validation record not added	Add CNAME to correct hosted zone
CloudFront 403 errors	S3 bucket policy missing	Add CloudFront service principal or use website endpoint
"Certificate not in us-east-1"	ACM cert in wrong region	Request new cert in us-east-1

Item	Location
Doppler project/config	`gi` / `prd`
Access key variable	`DOMAIN_ADMIN_AWS_ACCESS_KEY_ID`

Item	Location
Doppler project/config	`gi` / `prd`
Access key variable	`DOMAIN_ADMIN_AWS_ACCESS_KEY_ID`

Item	Location
Registry	`project-registry` CLI
Query command	`project-registry <project> [field]`
Update command	`project-registry set <project> <field> <value>`

Environment	Doppler Config	Typical Use
Development	`dev`	Local development, sandboxes
Staging/Test	`stg`	Test environment, CI/CD
Production	`prd`	Production environment

Guide	Purpose
Layer 1: Infrastructure	Complete AWS setup walkthrough
GiDev Server Docs	Server-specific operations

Af Environment Infrastructure

Environment & Infrastructure

When to Use This Skill

Quick Reference

Domain Admin Credentials

Af Environment Infrastructure

Environment & Infrastructure

When to Use This Skill

Quick Reference

Domain Admin Credentials

Project Registry

Doppler Config Mapping

Rules

Credential Rules (MUST)

DNS Rules (MUST)

Infrastructure Rules (SHOULD)

Workflows

Workflow: Add Custom Subdomain with CloudFront

Workflow: Create New Project Subdomain Zone

Workflow: Access Another Account's Resources

Common Pitfalls

Essential Reading

Procedural Guides

Key Files

Sherlock

Domain Name Brainstormer

Bmad Domain Research

Claimable Postgres

Active Directory Attacks

Gws Gmail Watch

File	Contains
`project-registry` CLI	All project AWS accounts, Doppler configs
`/srv/docs/CREDENTIALS.md`	Credential management patterns
`/srv/docs/ADMIN.md`	Server administration including Cloudflare