Deploy to AWS

Learn how to deploy your applications to Amazon Web Services (AWS) and take advantage of its scalable infrastructure and cloud services.

Super Administrator

Updated at December 13th, 2025

Table of Contents

1. Introduction 1.1 Deployment Options 1.2 Supported AWS Regions 2. Prerequisites 2.1 Required Skills 2.2 AWS Account Requirements 2.3 AWS Services Used 2.4 Service Limits 3. Security and Encryption 4.1 Explanation of Files 5. IAM Model and Secrets 5.1 IAM Entities Created 5.2 IAM Policy Matrix 5.3 Secrets and Credential Rotation 6. Network Architecture Tagging Example 8. Step-by-Step Deployment 9. Terraform Outputs Explained 10. Operations and Maintenance 11. Health Checks 11.1 VM Instance Health 11.2 S3 Buckets 11.3 SQS/SNS 11.4 Networking 12. Troubleshooting & Support 12.1 Common Issues 12.2 Debugging Steps 12.3 SupportIf issues persist:

1. Introduction

This guide explains how to deploy the Vionlabs Edge Processing Services into your AWS account using Terraform. It covers prerequisites, architecture, IAM setup, networking, encryption, step-by-step deployment, and operational best practices.

Deployment shouldn't take more than 2hr.

1.1 Deployment Options

  • Single-AZ deployments are supported, configured through Terraform variables.
  • Multi-AZ or multi-region deployments are not included in this package.

1.2 Supported AWS Regions

The package supports all AWS-supported regions, including North America, Europe, and Asia.


2. Prerequisites

2.1 Required Skills

  • AWS Cloud: basic to intermediate knowledge
  • DevOps practices: basic knowledge
  • Terraform: basic knowledge

2.2 AWS Account Requirements

  • Use a dedicated AWS account for this workload, ideally one per environment (dev, staging, production).
  • The deployment does not require AWS root account credentials.
  • Terraform must be executed by a user or role with CRUD permissions on the required AWS services.

2.3 AWS Services Used

The deployment uses the following services:

  • Amazon EC2
  • Amazon VPC (subnets, route tables, endpoints)
  • Amazon S3
  • Amazon SNS/SQS
  • Amazon ECR
  • AWS IAM

2.4 Service Limits

Check account quotas for EC2, VPC Endpoints, and SQS/SNS. Use AWS Service Quotas or Trusted Advisor to increase limits before deployment if needed.

3. Security and Encryption

  • No public resources are created.
  • Amazon S3: Server-side encryption at rest (AES) and enforced HTTPS-only for encryption in transit.
  • Amazon SNS/SQS: Encryption in transit via HTTPS.
  • Amazon ECR: HTTPS enforced.
  • Amazon EC2/EBS: Volumes encrypted by default.
  • No LUKS required as AWS-native encryption is used.


4. Repository Layout

The Terraform package is structured into modules for VM, networking, and IAM.

terraform-main/

├── README.md

├── main.tf

├── variables.tf

├── variables_vm.tf

├── vm.tf

├── vm_script.tf

├── output.tf

├── output_vm.tf

├── aws-vm/

  ├── main.tf

  ├── variables.tf

  └── output.tf

└── remote-infra/

    ├── main.tf

    ├── variables.tf

    ├── backend-iam.tf

    └── output.tf

4.1 Explanation of Files

File / Module

Purpose

main.tf

Root module, orchestrates VM and infrastructure modules.

variables.tf

Defines global input variables (region, tags, account settings).

variables_vm.tf

Defines VM-specific variables (AMI ID, instance type, key pair).

vm.tf

EC2 VM definition, networking attachments, IAM instance profile.

vm_script.tf

User data script injection and bootstrap configuration for VM.

output.tf

Root outputs (IAM credentials, queue URLs, bucket names).

output_vm.tf

Outputs related specifically to the VM (DNS, instance ID, IP).

aws-vm/main.tf

Submodule for VM networking + EC2 provisioning.

aws-vm/variables.tf

Input variables specific to the aws-vm module.

aws-vm/output.tf

Outputs from the aws-vm submodule (networking resources).

remote-infra/main.tf

Provisions supporting infrastructure (S3, SNS, SQS, IAM roles).

remote-infra/variables.tf

Variables specific to the remote-infra module.

remote-infra/backend-iam.tf

Defines IAM user/role for backend communication.

remote-infra/output.tf

Outputs from the remote-infra module (queue URLs, bucket ARNs).

README.md

Package-level instructions for running Terraform locally.

5. IAM Model and Secrets

5.1 IAM Entities Created

  • IAM User 1 (or IAM Role): Used by Vionlabs backend for SNS/SQS and S3 access.
  • IAM Instance Profile (VM Role): Attached to EC2, grants access to buckets and queues.
  • IAM User 2 (Customer): Pre-existing, used to run Terraform.

5.2 IAM Policy Matrix

IAM Entity

Service

Actions

Purpose

VM Instance Profile

S3

GetObject, PutObject

Video read, features/secure write
 

SQS/SNS

Send, Receive

Process events
 

ECR

Pull

Container updates

IAM User 1/Role

S3

List, GetObject

Vionlabs backend fetch features
 

SQS/SNS

Publish/Subscribe

Event communication

IAM User 2 (Customer)

All

CRUD

Terraform execution only

5.3 Secrets and Credential Rotation

  • If IAM User 1 is created: Terraform outputs backend-aws-id and backend-aws-secret.
  • If IAM Role is used: no secrets generated.
  • Secrets are stored in Terraform state (must be protected).

Credential rotation steps:

1. Disable old IAM access key in AWS console or Terraform variable.  
2. Run `terraform apply` to generate a new key.  
3. Update consuming systems with new key.  
4. Delete the old key.  

6. Network Architecture

The deployment provisions:

  • VPC with private subnets and route tables
  • VPC Endpoints: S3, SNS, SQS, ECR
  • Security Groups with restricted inbound rules
  • No Internet Gateway/NAT required

Example Terraform snippet (vm_net.tf):

resource "aws_vpc_endpoint" "s3" {
  vpc_id       = aws_vpc.main.id
  service_name = "com.amazonaws.${var.region}.s3"
}

7. Terraform Variables and Tagging

Example Variables

variable "region" {
  description = "AWS region for deployment"
  default     = "eu-west-1"
}
variable "instance_type" {
  description = "EC2 instance type"
  default     = "m7i.4xlarge"
}

Tagging Example

tags = {
  Project = "VionlabsEdge"
  Owner   = "MediaOpsTeam"
  Env     = "Prod"
}

8. Step-by-Step Deployment

1. Unpack the Terraform package.

2. Configure provider and backend in main.tf.

3. Update a tfvars file with environment-specific values.

4. Run `terraform init`.

5. Run `terraform validate`.

5. Run `terraform plan -var-file=env.tfvars`.

6. Run `terraform apply -var-file=env.tfvars`.

7. Capture outputs and store securely.

8. Validate resources in AWS console.

9. Terraform Outputs Explained

  • backend-aws-id / backend-aws-secret: IAM User credentials (if created).
  • batches_sqs_url, events_sqs_url: Queue URLs.
  • events_sns_arn: SNS topic ARN.
  • video_bucket_name, feature_bucket_name, secure_bucket_name: S3 buckets.
  • vm_private_dns, vm_id: EC2 identifiers.

10. Operations and Maintenance

  • VM auto-updates enabled.
  • Backup via EBS snapshots and S3 lifecycle policies.
  • Protect Terraform state: store in encrypted S3 with DynamoDB locking.

Example Backend Configuration:

terraform {
  backend "s3" {
    bucket         = "your-tfstate-bucket"
    key            = "vionlabs/edge/prod/terraform.tfstate"
    region         = "eu-west-1"
    encrypt        = true
    dynamodb_table = "your-tfstate-locks"
  }
}

11. Health Checks

11.1 VM Instance Health

  • Verify EC2 instance status checks (2/2 checks passed).
  • Ensure the instance profile is attached and IAM permissions allow S3/SQS/SNS access.
  • Use CloudWatch metrics for CPU, memory (via CloudWatch Agent if installed).

11.2 S3 Buckets

  • Confirm encryption is enabled with aws s3api get-bucket-encryption.
  • Validate access by uploading and retrieving test objects.
  • Check lifecycle policies if configured.

11.3 SQS/SNS

  • Send a test message to the SQS queue and confirm it is received by the application.
  • Validate SNS topic subscriptions (confirm active status).

11.4 Networking

  • Check VPC Endpoints for available status.
  • Verify Security Group rules block all public inbound access.
  • Ensure no Internet Gateway is attached.

12. Troubleshooting & Support

12.1 Common Issues

  • Terraform errors: Ensure provider version is correct and AWS credentials have required permissions.
  • VM not starting: Check EC2 instance type availability and quota.
  • IAM permission denied: Verify IAM User/Role used for Terraform has CRUD on EC2, S3, SQS, SNS, ECR, IAM.
  • S3 upload failures: Confirm IAM role attached to EC2 has PutObject permission.
  • SNS/SQS communication issues: Ensure endpoints are deployed in the correct region and queues have correct permissions.
  • ECR pull failures: Verify that the ECR endpoint exists and EC2 has the correct IAM permissions.

12.2 Debugging Steps

  • Check Terraform logs with TF_LOG=DEBUG.
  • Inspect AWS CloudTrail for denied IAM actions.
  • Use AWS CLI to test S3, SQS, and SNS connectivity from within the VM.
  • Check CloudWatch Logs for application logs (if configured).
  • Gather Terraform logs, AWS resource IDs, and IAM policies.

12.3 Support

If issues persist:

 

 

 

 

Related Articles

Platform Architecture

Simplified illustration of the Vionlabs Platform Architecture The Vionlabs Platfo...

Webhooks Guide

The Vionlabs Webhooks feature allows your systems to automatically receive notifi...