Skip to content

New Environment Setup

Prerequisites

  • AWS account with appropriate permissions
  • Pulumi CLI installed
  • AWS CLI configured
  • A domain name for your services

Quick Start

1. Install prerequisites

bash brew install pulumi awscli uv python@3.13 jq

Install Pulumi, uv, the AWS CLI, Python 3.13+, and jq.

2. Authenticate

```bash aws sso login --profile your-profile

or: aws configure

```

3. Set up Pulumi state backend

Create an S3 bucket and KMS key:

bash aws s3 mb s3://my-org-hawk-pulumi-state # must be globally unique aws kms create-alias --alias-name alias/pulumi-secrets \ --target-key-id $(aws kms create-key --query KeyMetadata.KeyId --output text) pulumi login s3://my-org-hawk-pulumi-state

4. Create and deploy

```bash cd infra pulumi stack init my-org --secrets-provider="awskms://alias/pulumi-secrets" cp ../Pulumi.example.yaml ../Pulumi.my-org.yaml

Edit Pulumi.my-org.yaml with your values

pulumi up ```

First deploy creates ~200+ AWS resources and takes about 15-20 minutes.

5. Secrets

For production stacks, set up API keys:

bash scripts/dev/set-api-keys.sh <env> OPENAI_API_KEY=sk-...

For dev environments, secrets are automatically shared from staging — no manual seeding needed.

6. Your services

After deployment, your services are available at:

  • API: https://api.hawk.<domain>
  • Viewer: https://viewer.hawk.<domain>
  • Middleman: middleman-ecs.<domain>

7. View API logs

bash aws logs tail "$(pulumi stack output api_log_group_name)" \ --region us-west-2 --since 30m --format short | grep -v /health

Dev Environments

For development, create lightweight environments that share staging infrastructure:

bash cd infra ./new-dev-env.sh <your-name> # e.g., ./new-dev-env.sh alice

The script configures the stack and prompts to deploy. Your dev environment shares staging's VPC, ALB, and EKS cluster while getting its own database and services.

See Deployment for more details on managing dev environments.

Tailscale VPN Setup

If using Tailscale for private service access:

  1. Pick an IPv4 CIDR that doesn't conflict with existing ranges (e.g., 10.13.0.0/16)
  2. Add the CIDR to your Tailscale ACL rules
  3. Add a custom nameserver for <environment>.<your-domain> pointing to the CIDR's DNS resolver (e.g., 10.13.0.2)
  4. Set hawk:albInternal: "true" in your stack config
  5. Store a Tailscale auth key in AWS Secrets Manager
  6. Deploy with pulumi up