 With HTTP2 which is available on CloudFront in September. So it's new-ish because there's no reason really why setting up a website on S3 should take longer or should be easier than just setting up the full thing with HTTP2 and IPv6 and all that if you just have some conventions. We will use Terraform, it's from HashiCorp, it does vagrant packer. It's like CloudFormation but different. It has a really, really, really pleasant CLI. So you can do Terraform plan, it'll display all the things you want to do. You do Terraform apply, it builds all the things you want to do. It has a really nice language because we don't just use Amazon, but we will use it with Amazon as well. So sometimes our clients force us to use really terrible infrastructure. The basic language looks like that. You have resources, your resources are managed in your Terraform definition files. And you have data sources which like if you want to have, you don't want to manage your Route 53 zone through Terraform but you want to manage your Route 53 records specifically for the thing you're provisioning. So you'll have two sort of different concepts. Our goal for this is to just set up that. We have Route 53, we have CloudFront, we have HTTP2, we use the ASIM to get the certificate and we have S3 behind that. So setting up an S3 bucket is like the simplest thing you can do, right? So it's pretty, everyone should be sorry for me, everybody. So you have a resource, the name of the resource, a definition that's just internal to Terraform, how Terraform refers to it. Then we'll name it, we'll set it to public feed. We'll show you what that looks like. So you'll have, it'll tell you, this is the thing you want to apply and it'll execute that. It'll create the S3 bucket with the file. It won't do anything very interesting. To set up HTTP2, we need to go through the ASIM to request the certificate. We have to do that sort of manually because there's no, because it has to send an email. And I don't understand why, if it's configured in my Route 53, but it still wants to send me an email. So okay, it has to be in the USEs because of CloudFront and we need to copy the ARN that you get once you define it, right? Because we'll refer to that later. With CloudFront, set up. SZLHP2, IPv6. We'll set up two different ways of caching, right? Because CloudFront relies on you having unique URLs for everything, right? Because you can't do instant cache purges and things like that. So we set up one cache for everything, which is just our HTML, and then one really long cache for assets, right? So when we upload, when we deploy new stuff, it'll just instantly be cleared. So it's a bit of work getting this to work. So this is just, you have to sort of remember this, but this is just like the initial boilerplate, right? So here we're referring to the S3 bucket we created earlier, right? So that's a really nice thing about Terraform, is that you have string interpolation, right? You can just cross-reference your resources. Then we'll set an alias, which is the mable hit, we'll enable IPv6. We'll set on a root object so that it doesn't list off the buckets. And we have to set geo restriction for some reason, that makes no sense, because it's required and they don't have a default, even if I don't want it. Then we'll add SSL with the ARM, the specifier, which is for the domain. And we'll set some default caching behavior, right? So we'll refer to the origin we had earlier. So you see we have an origin, we called it website. And we will refer to the origin there. And we won't cache that, because we want to be able to clear our cache instantly, I don't like waiting for things, I'll try to deploy them to see if this works. And then we did the same thing, and it's really the same code, except all that stuff will cache for as long as possible, right? In the assets slash star. Then we'll disable error caching, because when I was doing this, there's two problems with caching on Terraform. One is if you upload things, if you have caching, if you cache 404s, and you're uploading like HTML and CSS and a bunch of stuff, right? If you hit the HTML before your other assets have uploaded, you'll have a 404 cached for five minutes, which is not great. So that's why you don't want that cached probably for the 403. That's just if you're just uploading things to test, and then you forget to set your ACL correctly, so it's private. Now you have to sit there and just wait for the five minutes to wait for the thing to be publicated. It's also not great. Finally, one step provision, the same way we were doing it before. So we'll have Cloud Front, and we'll create a Route 53 record. And that's just referencing the stuff we did before. So we have our distribution. It's the name of our distribution. We have the Route 53 zone, just let it be put in there. That's it. We have an IPv4 record. We have an IPv6 record, which is the same thing again, but triple A for quadruple A. And that's it. And the code, so I realized there's a lot of code. And it's available on GitHub, and you can use it. Yeah, that's it. AWS only. What would you advise the people to do? Terraform or Cloud Platform? Well, I would use... CloudFormation, sorry. So you can provision things outside of AWS with CloudFormation as well, right? But you sort of have to define it yourself. I've never tried that. Because for us, it's about a lot of other things. If you're comfortable using it, we're not. I don't like looking at those facts. I don't want to write JSON for living, and I know you can use YAML, but I think they look awful if you... Hold on. What language was it? Oh, it's ACL. I'll show you a really long example. I should call it language. It's JSON-ish. Right. I was trying to help. That's what you should do. Can I? Okay, so here is the stuff that's actually on GitHub, right? So it's just sort of like key-valid. Those variable definitions, I don't like. They're very wordy, right? But if you go into actually distribution... I think it looks really nice. It's a bit like... Is it the first time? Can you start any logic? Yes, well, okay. So the thing I was doing when I was defining like IPv6 and IPv4, what you could do is you define a template and then you can refer things to them, through templates. I don't... You can sort of... You can sort of like declarative. I don't know if you can like loop over things and have like a whole terrain complete sort of thing like you would do with Ansible, right? I don't think so, because I was looking at, how can I make a loop? You can use something like CODT to jeopardize your bits, and then you could have all those sorts of logic. Right, so one of the... Everything that drives this particular file, which is not something I wanted to go through really, but is those three variables drives everything else, right? So if you have... I just want to set up a static site. You've done it once already, right? You're just overriding this, and you're not overriding it in this file. You would just do it on like the command line somewhere. You can also use... Yes, they're fantastic, but I didn't want to go through all of that for some reason. Yeah. So yeah, you get really quick conventions, like I think my designer could put up a static site if he wanted to, and it would be fine, right? From the outset, it would just be fine. Have you done any keys inside here? Sorry? Do you use that key inside here? Yes, well, it got my secrets. Yeah, so you would put them up in the provider. I didn't do that because you're all thieves, as far as I'm concerned. Because... In general, there's practice, right? So you think you guys are actually doing it? Are you keeping it in source control, I guess? No. I don't keep it in source control. So you would... You could keep it in the environmental variables that you put into your CEI, normally, right? It's on Travis. You could set environmental variables. And then they have a specific convention. For beginning up, my credentials on my computer is in the standard dot aws slash credentials. So I put it there. If you don't put it in, you just run it, it will start asking you for them. The best way I've found is to use the profile. Right. Because I run, like, 58 aws accounts and all. Right, right, right. So one of the things I figured out while I was doing this was you can't set your region anywhere. That one you actually have to define inside of... Because you don't set region in the slash credentials files, you set it in the slash config file, which... You put the region here, but you still have the... Right. Like the profile equal to something, and that is the name profile of the credentials for yourself. So that way, even if you... If another developer checks up the file, right, in that sense, you're putting it in the source control, at least he has to get the AWS key for himself, just fill out maybe the account name. That's only my convention. Right, right. I think that settles the whole critical of credentials because it shows not... Oh, absolutely. Yeah, yeah. Yeah. Right. Does Terraform, like, do mean by checking? Say? Like, say you set up your power front, mic or whatever. Uh-huh. Does it have, like, Terraform space tests and actually tests it? Yes. So in my CI, I will check if there's unapplied Terraform changes. Right. And so if someone goes and edits... If someone goes and edits the definition file, the build will break until they go and manually apply it. So you can put the whole thing in CI. I don't... I'm not brave enough to do that. I want, like, a developer to sit down and look at it and be like, yes, that's what I want to have happen. And apply the change. Yeah. But I block... I block if there's a change in it. Apply. Um... I just... There's two more things. We were having an email thing earlier, right? And then you were saying about leak abstractions. So I can give you two. One is... Right, right. One is, right now, if you modify your cloud front configuration in 082, which is the current version, it won't work because it'll only work on the initial creation of it. And it'll blow up because there's a bug they're working on which is going to be solved very soon. Another one, which is bigger, is if you have a lot of caching definitions you can't set the order of them because they're using a Go set and sets don't have orders and you can't specify order, which is very annoying. But hey, we have a tab front. Right, so you have a list of, like, oh, slash asset star, it has this caching rule, slash something else has this caching rule, so on. So this works for this example because you have to have a default one and an assets path, right? So in paths, you'd have to go and override it on Amazon itself until they fix that bug, which has been around for a little bit longer. Yeah, that's the ugly. Otherwise, it's great.