AWS Infrastructure - HOLE Foundation

Overview

HOLE Foundation uses AWS primarily for AI model access via Bedrock with infrastructure ready for future compute and storage needs.

Terraform Workspace: aws-foundation-prod Organization: theholetruth Location: /Volumes/HOLE-RAID-DRIVE/Projects/hole-terraformer/terraform/aws/foundation/ AWS Account: 420073135340 Region: us-east-1 (primary)

Resources: ~5 (configured, ready for expansion)

---

Infrastructure Managed

IAM (Identity and Access Management)

Roles:

• terraform-bedrock-foundation - Terraform execution role
  • Purpose: Allows Terraform Cloud to manage AWS resources
  • Permissions: Bedrock access, IAM management, KMS
  • ARN: arn:aws:iam::420073135340:role/terraform-bedrock-foundation

File: terraform/aws/foundation/main.tf

Bedrock (AI Model Access)

Models Available:

• claude-3-5-sonnet-20241022 - Fast, cost-effective
• claude-3-opus-20250219 - Most capable
• claude-3-haiku-20240307 - Fastest inference
• claude-instant-1.2 - Legacy model
• Other Bedrock models (Llama, Mistral, etc.)

Regions: us-east-1 (primary), us-west-2 (backup)

File: terraform/aws/foundation/bedrock.tf

Configuration:

# Bedrock access is via IAM policies
# Models are invoked through bedrock:InvokeModel API
# No specific Terraform resources (on-demand model access)

KMS (Encryption)

Keys:

• bedrock-key - Encryption for Bedrock data
• Alias: alias/bedrock-foundation
• Auto-rotation enabled
• 7-day deletion window

Purpose: Encrypt sensitive data used with Bedrock models

Future Infrastructure (Ready to Deploy)

Serverless Compute:

• AWS Lambda - Event-driven functions
• Lambda@Edge - CDN edge functions

Storage:

• S3 buckets - Object storage
• DynamoDB - NoSQL database
• RDS - Relational database (if needed)

Other:

• SQS - Message queues
• SNS - Notifications
• EventBridge - Event routing

---

Making AWS Changes

Standard Workflow

When user asks to deploy AWS infrastructure:

1. Navigate to workspace:

cd /Volumes/HOLE-RAID-DRIVE/Projects/hole-terraformer/terraform/aws/foundation

2. Load AWS credentials from dotenvx:

export AWS_ACCESS_KEY_ID=$(cd /Volumes/HOLE-RAID-DRIVE/dotenvx && dotenvx get AWS_ACCESS_KEY_ID)
export AWS_SECRET_ACCESS_KEY=$(cd /Volumes/HOLE-RAID-DRIVE/dotenvx && dotenvx get AWS_SECRET_ACCESS_KEY)
export TF_VAR_aws_access_key="$AWS_ACCESS_KEY_ID"
export TF_VAR_aws_secret_key="$AWS_SECRET_ACCESS_KEY"

3. Edit Terraform files:

• Add Lambda, S3, or other AWS resources
• Update IAM policies as needed

4. Plan and apply:

terraform plan
terraform apply

---

Common AWS Operations

Deploy Lambda Function

User: "Create a Lambda function for AI processing"

Steps:

1. Create Lambda code file (e.g., lambda/ai-processor.py)
2. Add Lambda resource to Terraform:

# Lambda function
resource "aws_lambda_function" "ai_processor" {
  filename      = "lambda/ai-processor.zip"
  function_name = "ai-processor"
  role          = aws_iam_role.lambda_bedrock.arn
  handler       = "index.handler"
  runtime       = "python3.11"

  environment {
    variables = {
      BEDROCK_MODEL = "claude-3-5-sonnet-20241022"
      AWS_REGION    = "us-east-1"
    }
  }

  tags = {
    Project = "HOLE Foundation"
  }
}

# IAM role for Lambda
resource "aws_iam_role" "lambda_bedrock" {
  name = "lambda-bedrock-access"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = {
        Service = "lambda.amazonaws.com"
      }
    }]
  })
}

# Bedrock access policy
resource "aws_iam_role_policy" "lambda_bedrock" {
  name = "bedrock-access"
  role = aws_iam_role.lambda_bedrock.id

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect = "Allow"
      Action = [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ]
      Resource = "*"
    }]
  })
}

3. Plan and apply

Create S3 Bucket

User: "Create an S3 bucket for backups"

Template:

resource "aws_s3_bucket" "backups" {
  bucket = "hole-foundation-backups-${var.aws_account_id}"

  tags = {
    Environment = "Production"
    Purpose     = "Backups"
  }
}

# Enable versioning
resource "aws_s3_bucket_versioning" "backups" {
  bucket = aws_s3_bucket.backups.id

  versioning_configuration {
    status = "Enabled"
  }
}

# Enable encryption
resource "aws_s3_bucket_server_side_encryption_configuration" "backups" {
  bucket = aws_s3_bucket.backups.id

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "aws:kms"
      kms_master_key_id = aws_kms_key.bedrock.arn
    }
  }
}

Access Bedrock Models

Bedrock is accessed via API (no Terraform resources to create):

# Example: Python Lambda using Bedrock
import boto3

bedrock = boto3.client('bedrock-runtime', region_name='us-east-1')

response = bedrock.invoke_model(
    modelId='anthropic.claude-3-5-sonnet-20241022-v2:0',
    body=json.dumps({
        "anthropic_version": "bedrock-2023-05-31",
        "max_tokens": 1024,
        "messages": [
            {"role": "user", "content": "Hello!"}
        ]
    })
)

IAM permissions required: bedrock:InvokeModel

---

When to Use AWS vs Other Providers

Use AWS For

✅ AI model inference (Bedrock Claude, other models) ✅ Advanced serverless (Lambda with complex triggers) ✅ Large-scale storage (S3 for big files) ✅ NoSQL databases (DynamoDB) ✅ ML pipelines (SageMaker) ✅ Event-driven architectures (EventBridge, SQS, SNS) ✅ Container orchestration (ECS, EKS)

Use Cloudflare Instead For

• Simple web hosting → Cloudflare Pages
• Edge compute → Cloudflare Workers
• DNS → Cloudflare
• Small object storage → Cloudflare R2 (cost-effective)
• Simple KV storage → Cloudflare KV

Use Azure Instead For

• Enterprise SSO → Azure Entra ID
• Authentication → Azure AD

---

Integration with Other Providers

AWS + Cloudflare (Common Pattern)

Pattern: Cloudflare Worker as API gateway to AWS Lambda/Bedrock

User Request
    ↓
Cloudflare Worker (edge)
    ↓
AWS Lambda (compute)
    ↓
Bedrock (AI inference)
    ↓
Lambda returns result
    ↓
Worker caches in KV
    ↓
Worker returns to user

Terraform Changes Required:

• Cloudflare: Worker + DNS + KV namespace
• AWS: Lambda + IAM role + Bedrock permissions

Benefits:

• Edge caching (Cloudflare KV)
• Global distribution (Cloudflare edge)
• Powerful AI (AWS Bedrock)
• Cost optimization (cache reduces Bedrock calls)

AWS + Azure (SSO)

Pattern: AWS console access via Azure Entra ID

Azure Side: Entra ID → AWS IAM Identity Center integration AWS Side: IAM roles and permissions

Already configured - no changes needed unless adding new roles

---

Secret Management (AWS)

AWS Credentials in dotenvx

Secrets:

• AWS_ACCESS_KEY_ID - Access key ID
• AWS_SECRET_ACCESS_KEY - Secret access key

Loading:

cd /Volumes/HOLE-RAID-DRIVE/dotenvx
export AWS_ACCESS_KEY_ID=$(dotenvx get AWS_ACCESS_KEY_ID)
export AWS_SECRET_ACCESS_KEY=$(dotenvx get AWS_SECRET_ACCESS_KEY)

Terraform Variables:

export TF_VAR_aws_access_key="$AWS_ACCESS_KEY_ID"
export TF_VAR_aws_secret_key="$AWS_SECRET_ACCESS_KEY"

Bedrock API Access

From Lambda: Uses Lambda execution role (IAM) From external: Uses AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY

---

Cost Management

Bedrock Pricing

Per-Token Pricing (approximate):

• Claude 3.5 Sonnet: ~$0.003/1K input tokens, ~$0.015/1K output tokens
• Claude 3 Opus: ~$0.015/1K input tokens, ~$0.075/1K output tokens
• Claude 3 Haiku: ~$0.00025/1K input tokens, ~$0.00125/1K output tokens

Best Practices:

1. Use Cloudflare KV for caching (reduce API calls)
2. Use Haiku for simple tasks (10x cheaper than Sonnet)
3. Monitor usage in AWS Cost Explorer
4. Set up cost alerts

Lambda Pricing

• First 1M requests/month: Free
• $0.20 per 1M requests after that
• Compute: $0.0000166667 per GB-second

Optimization: Use Cloudflare Workers for edge compute when possible (free tier more generous)

---

Best Practices

Lambda Functions

1. Use environment variables for configuration (not hardcoded)
2. Enable CloudWatch logs for debugging
3. Set appropriate timeout (Bedrock can take 10-30 seconds)
4. Use KMS encryption for sensitive environment variables
5. Test locally before deploying via Terraform

Bedrock Usage

1. Start with Haiku for testing (cheapest)
2. Cache responses in Cloudflare KV (reduce costs)
3. Monitor token usage to avoid surprises
4. Use streaming for long responses (better UX)
5. Set max_tokens limits to control costs

IAM Security

1. Least privilege - Only grant necessary permissions
2. Use roles not user credentials for applications
3. Enable MFA for console access
4. Rotate access keys regularly (in dotenvx)
5. Monitor CloudTrail for unusual activity

---

Quick Reference

Account: 420073135340 Region: us-east-1 Workspace: aws-foundation-prod Location: terraform/aws/foundation/ Terraform Role: arn:aws:iam::420073135340:role/terraform-bedrock-foundation

Secrets (in dotenvx):

• AWS_ACCESS_KEY_ID
• AWS_SECRET_ACCESS_KEY

Primary Use: AI model inference via Bedrock

Never use AWS for: Web hosting, DNS (use Cloudflare instead)

---

Version History

• 1.0.0 (2026-01-09) - Initial AWS skill
  • Bedrock configuration documented
  • IAM roles configured
  • KMS encryption set up
  • Ready for Lambda, S3, DynamoDB deployment