DEV Community: Josh Blair The latest articles on DEV Community by Josh Blair (@josh_blair). https://dev.to/josh_blair https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F100411%2F963e53f6-678b-4041-9d0f-ce8331890bed.png DEV Community: Josh Blair https://dev.to/josh_blair en Building a Production Company Website on AWS — Project Overview Josh Blair Wed, 20 May 2026 22:07:38 +0000 https://dev.to/josh_blair/building-a-production-company-website-on-aws-project-overview-ihg https://dev.to/josh_blair/building-a-production-company-website-on-aws-project-overview-ihg <h2> What We Built </h2> <p>This series documents the end-to-end process of designing, building, and deploying a production company website for a software and cloud consulting business. The result is a modern, fully serverless stack with automated CI/CD deployments — built intentionally to demonstrate and practice the AWS services I use professionally.</p> <p><strong>Tech stack at a glance:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Technology</th> </tr> </thead> <tbody> <tr> <td>Frontend</td> <td>React 18 + Vite + TypeScript + Tailwind CSS v4</td> </tr> <tr> <td>Hosting</td> <td>Amazon S3 + CloudFront (CDN)</td> </tr> <tr> <td>DNS &amp; TLS</td> <td>Route 53 + ACM (SSL/TLS certificate)</td> </tr> <tr> <td>CI/CD</td> <td>GitHub + AWS CodePipeline + CodeBuild</td> </tr> <tr> <td>Contact API</td> <td>API Gateway (HTTP) + AWS Lambda (Python)</td> </tr> <tr> <td>Data storage</td> <td>Amazon DynamoDB</td> </tr> <tr> <td>Email delivery</td> <td>Amazon SES</td> </tr> <tr> <td>IaC</td> <td>AWS CloudFormation + AWS SAM</td> </tr> </tbody> </table></div> <h2> Architecture Overview </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8v63mlwmlkxu22f9tejt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8v63mlwmlkxu22f9tejt.png" alt="Architecture overview" width="800" height="575"></a></p> <h2> CI/CD Pipeline </h2> <p>Every push to the <code>main</code> branch on GitHub automatically triggers a full build and deploy:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0hz9ido25k6apybbj4nu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0hz9ido25k6apybbj4nu.png" alt="CI/CD pipeline" width="800" height="344"></a></p> <h2> Articles in This Series </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>#</th> <th>Article</th> <th>What it covers</th> </tr> </thead> <tbody> <tr> <td>1</td> <td> <strong>Project Overview</strong> <em>(this article)</em> </td> <td>Full architecture, stack decisions, what we're building</td> </tr> <tr> <td>2</td> <td><a href="https://dev.to/josh_blair/react-vite-typescript-tailwind-css-v4-project-setup-3ckc">React + Vite + Tailwind Setup</a></td> <td>Scaffolding the SPA, routing, design system, component structure</td> </tr> <tr> <td>3</td> <td><a href="https://dev.to/josh_blair/static-site-hosting-on-aws-s3-cloudfront-acm-and-route-53-4699">Static Site Hosting on AWS</a></td> <td>S3, CloudFront with OAC, ACM, Route 53 DNS, CloudFormation</td> </tr> <tr> <td>4</td> <td><a href="https://dev.to/josh_blair/cicd-with-aws-codepipeline-and-codebuild-de7">CI/CD with CodePipeline &amp; CodeBuild</a></td> <td>GitHub connection, pipeline stages, buildspec.yml, IAM roles</td> </tr> <tr> <td>5</td> <td><a href="https://dev.to/josh_blair/serverless-contact-form-lambda-api-gateway-dynamodb-and-ses-po6">Serverless Contact Form</a></td> <td>Lambda, API Gateway, DynamoDB, SES, CORS, SAM deployment</td> </tr> </tbody> </table></div> <h2> Key Design Decisions </h2> <h3> Why React + Vite (not Next.js)? </h3> <p>Next.js is a great framework, but for a static marketing site, it's overhead. Vite produces a clean static build (<code>dist/</code>) that S3 + CloudFront serves perfectly. The site has no server-side rendering requirements. Vite also gives faster local dev iteration.</p> <h3> Why S3 + CloudFront (not Amplify or Vercel)? </h3> <p>This project is intentionally built on "raw" AWS primitives — CodePipeline, CloudFormation, S3, CloudFront — rather than abstracted platforms. The goal is to learn and demonstrate AWS services used in real enterprise projects.</p> <h3> Why CloudFormation (not CDK or Terraform)? </h3> <p>CloudFormation is the AWS-native tool that every AWS practitioner encounters. Understanding it directly — before abstracting to CDK — builds a stronger mental model of what's actually being deployed.</p> <h3> Why separate ACM cert in us-east-1? </h3> <p>CloudFront is a global service and requires ACM certificates to be provisioned specifically in <code>us-east-1</code>, regardless of where your other resources live. This is an AWS constraint, not a design choice.</p> <h3> Why CloudFront OAC (not OAI)? </h3> <p>Origin Access Control (OAC) is the modern replacement for Origin Access Identity (OAI). It supports all S3 operations, works with SSE-KMS encrypted buckets, and uses AWS SigV4 signing.</p> <h2> Repository Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>bonefishsoftware.com/ ├── src/ # React source │ ├── components/ # Navbar, Footer, SectionHeader │ ├── pages/ # Home, Services, Technologies, Portfolio, Team, Contact │ └── data/ # services.ts, technologies.ts, team.ts ├── public/ # Static assets (logo, sitemap, robots.txt) ├── lambda/ │ └── contact/ # Python Lambda — contact form handler ├── infra/ │ ├── acm/ # certificate.yml (deploy to us-east-1) │ └── stacks/ │ ├── website.yml # S3 + CloudFront (deploy to us-west-2) │ ├── pipeline.yml # CodePipeline + CodeBuild (deploy to us-west-2) │ └── contact-api.yml # SAM — API Gateway + Lambda + DynamoDB (deploy to us-west-2) ├── docs/ # This documentation ├── buildspec.yml # CodeBuild build spec └── index.html # Vite entry point with SEO meta tags </code></pre> </div> aws webdev tutorial cloud Serverless Contact Form — Lambda, API Gateway, DynamoDB, and SES Josh Blair Wed, 20 May 2026 22:07:35 +0000 https://dev.to/josh_blair/serverless-contact-form-lambda-api-gateway-dynamodb-and-ses-po6 https://dev.to/josh_blair/serverless-contact-form-lambda-api-gateway-dynamodb-and-ses-po6 <h2> Overview </h2> <p>The contact form on bonefishsoftware.com is fully serverless — no EC2, no always-on server. A visitor submits the form, the request hits an API Gateway HTTP API, a Python Lambda function validates and stores the submission in DynamoDB, then sends an email notification via SES. Cost at low volume: effectively zero.</p> <h2> Flow </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1h4p7jcsdxa8x95c3082.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1h4p7jcsdxa8x95c3082.png" alt="Contact form flow" width="799" height="364"></a></p> <h2> Infrastructure — AWS SAM </h2> <p>The contact API is deployed using <strong>AWS SAM</strong> (Serverless Application Model), a CloudFormation extension that simplifies Lambda + API Gateway resource definitions.</p> <blockquote> <p><strong>Why SAM over plain CloudFormation?</strong><br><br> SAM's <code>AWS::Serverless::Function</code> with <code>Events</code> automatically creates the API Gateway routes, integrations, Lambda permissions, and stage. Doing this in plain CloudFormation requires 6–8 separate resource definitions. SAM condenses it to one function resource with an <code>Events</code> section.</p> </blockquote> <h3> Key lesson: <code>AWS::Serverless::HttpApi</code> vs <code>AWS::ApiGatewayV2::Api</code> </h3> <p>The most important thing to get right: when using SAM's <code>HttpApi</code> event type, the <code>ApiId</code> <strong>must reference an <code>AWS::Serverless::HttpApi</code> resource</strong> — not a native <code>AWS::ApiGatewayV2::Api</code>.</p> <p>Using the wrong resource type results in the SAM transform silently skipping route and integration creation, leaving you with a deployed API that returns 404 on every request.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ✅ Correct — SAM manages routes/integrations automatically</span> <span class="na">ContactApi</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Serverless::HttpApi</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">CorsConfiguration</span><span class="pi">:</span> <span class="na">AllowOrigins</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">https</span><span class="pi">:</span><span class="nv">//bonefishsoftware.com</span><span class="pi">]</span> <span class="na">AllowMethods</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">POST</span><span class="pi">,</span> <span class="nv">OPTIONS</span><span class="pi">]</span> <span class="na">AllowHeaders</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">Content-Type</span><span class="pi">]</span> <span class="na">ContactFunction</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Serverless::Function</span> <span class="na">Events</span><span class="pi">:</span> <span class="na">PostContact</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">HttpApi</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ApiId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ContactApi</span> <span class="c1"># ← references Serverless::HttpApi</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/contact</span> <span class="na">Method</span><span class="pi">:</span> <span class="s">POST</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ❌ Wrong — routes NOT created by SAM</span> <span class="na">ContactApi</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ApiGatewayV2::Api</span> <span class="c1"># ← native resource, SAM ignores events</span> </code></pre> </div> <h2> Lambda Function (Python) </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># lambda/contact/handler.py </span> <span class="kn">import</span> <span class="n">json</span><span class="p">,</span> <span class="n">os</span><span class="p">,</span> <span class="n">uuid</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timezone</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">botocore.exceptions</span> <span class="kn">import</span> <span class="n">ClientError</span> <span class="n">ALLOWED_ORIGIN</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">ALLOWED_ORIGIN</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">https://bonefishsoftware.com</span><span class="sh">"</span><span class="p">)</span> <span class="n">TABLE_NAME</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">TABLE_NAME</span><span class="sh">"</span><span class="p">]</span> <span class="n">FROM_ADDRESS</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">FROM_ADDRESS</span><span class="sh">"</span><span class="p">]</span> <span class="n">TO_ADDRESS</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">TO_ADDRESS</span><span class="sh">"</span><span class="p">]</span> <span class="n">dynamodb</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">resource</span><span class="p">(</span><span class="sh">"</span><span class="s">dynamodb</span><span class="sh">"</span><span class="p">)</span> <span class="n">ses</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">ses</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="c1"># Handle CORS preflight </span> <span class="k">if</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">requestContext</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">http</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">method</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="sh">"</span><span class="s">OPTIONS</span><span class="sh">"</span><span class="p">:</span> <span class="k">return</span> <span class="nf">_response</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{})</span> <span class="c1"># Parse and validate </span> <span class="k">try</span><span class="p">:</span> <span class="n">body</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="sh">"</span><span class="s">{}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">except </span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="n">JSONDecodeError</span><span class="p">,</span> <span class="nb">TypeError</span><span class="p">):</span> <span class="k">return</span> <span class="nf">_response</span><span class="p">(</span><span class="mi">400</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Invalid request body.</span><span class="sh">"</span><span class="p">})</span> <span class="n">name</span> <span class="o">=</span> <span class="p">(</span><span class="n">body</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="sh">""</span><span class="p">).</span><span class="nf">strip</span><span class="p">()</span> <span class="n">email</span> <span class="o">=</span> <span class="p">(</span><span class="n">body</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">email</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="sh">""</span><span class="p">).</span><span class="nf">strip</span><span class="p">()</span> <span class="n">message</span> <span class="o">=</span> <span class="p">(</span><span class="n">body</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="sh">""</span><span class="p">).</span><span class="nf">strip</span><span class="p">()</span> <span class="n">company</span> <span class="o">=</span> <span class="p">(</span><span class="n">body</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">company</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="sh">""</span><span class="p">).</span><span class="nf">strip</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">name</span> <span class="ow">or</span> <span class="ow">not</span> <span class="n">email</span> <span class="ow">or</span> <span class="ow">not</span> <span class="n">message</span><span class="p">:</span> <span class="k">return</span> <span class="nf">_response</span><span class="p">(</span><span class="mi">400</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Name, email, and message are required.</span><span class="sh">"</span><span class="p">})</span> <span class="k">if</span> <span class="sh">"</span><span class="s">@</span><span class="sh">"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">email</span> <span class="ow">or</span> <span class="sh">"</span><span class="s">.</span><span class="sh">"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">email</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">@</span><span class="sh">"</span><span class="p">)[</span><span class="o">-</span><span class="mi">1</span><span class="p">]:</span> <span class="k">return</span> <span class="nf">_response</span><span class="p">(</span><span class="mi">400</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Please provide a valid email address.</span><span class="sh">"</span><span class="p">})</span> <span class="n">submission_id</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">())</span> <span class="n">timestamp</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">).</span><span class="nf">isoformat</span><span class="p">()</span> <span class="k">try</span><span class="p">:</span> <span class="nf">_save_to_dynamo</span><span class="p">(</span><span class="n">submission_id</span><span class="p">,</span> <span class="n">timestamp</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="n">email</span><span class="p">,</span> <span class="n">company</span><span class="p">,</span> <span class="n">message</span><span class="p">)</span> <span class="nf">_send_email</span><span class="p">(</span><span class="n">submission_id</span><span class="p">,</span> <span class="n">timestamp</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="n">email</span><span class="p">,</span> <span class="n">company</span><span class="p">,</span> <span class="n">message</span><span class="p">)</span> <span class="k">except</span> <span class="n">ClientError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">AWS error: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nf">_response</span><span class="p">(</span><span class="mi">500</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Failed to process your message. Please try again.</span><span class="sh">"</span><span class="p">})</span> <span class="k">return</span> <span class="nf">_response</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Message received! We</span><span class="sh">'</span><span class="s">ll be in touch soon.</span><span class="sh">"</span><span class="p">})</span> </code></pre> </div> <h3> Why no external dependencies? </h3> <p>Python's <code>boto3</code> SDK is built into the Lambda runtime — no requirements.txt needed. The deployment package is just a single <code>handler.py</code> file, keeping Lambda cold-start time minimal.</p> <h3> Validation approach </h3> <p>Validation is intentionally lightweight:</p> <ul> <li>Required field presence check</li> <li>Naive email format check (contains <code>@</code> and a <code>.</code> after it)</li> </ul> <p>We're not the primary spam defense here — the contact form has no public financial incentive to spam, and rate limiting can be added at the API Gateway level later if needed.</p> <h2> DynamoDB Table </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">SubmissionsTable</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::DynamoDB::Table</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">TableName</span><span class="pi">:</span> <span class="s">bonefish-contact-submissions</span> <span class="na">BillingMode</span><span class="pi">:</span> <span class="s">PAY_PER_REQUEST</span> <span class="na">AttributeDefinitions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">AttributeName</span><span class="pi">:</span> <span class="s">submissionId</span> <span class="na">AttributeType</span><span class="pi">:</span> <span class="s">S</span> <span class="pi">-</span> <span class="na">AttributeName</span><span class="pi">:</span> <span class="s">timestamp</span> <span class="na">AttributeType</span><span class="pi">:</span> <span class="s">S</span> <span class="na">KeySchema</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">AttributeName</span><span class="pi">:</span> <span class="s">submissionId</span> <span class="na">KeyType</span><span class="pi">:</span> <span class="s">HASH</span> <span class="pi">-</span> <span class="na">AttributeName</span><span class="pi">:</span> <span class="s">timestamp</span> <span class="na">KeyType</span><span class="pi">:</span> <span class="s">RANGE</span> </code></pre> </div> <p><strong>PAY_PER_REQUEST billing</strong> — no provisioned capacity to manage. At the volume of a contact form (single-digit submissions per day at most), this costs essentially nothing.</p> <p><strong>Composite key</strong> (submissionId + timestamp) — the UUID ensures uniqueness; the timestamp makes it easy to sort and query submissions chronologically in future tooling.</p> <h2> SES Email Delivery </h2> <h3> Domain verification (DKIM) </h3> <p>Emails sent from <code>noreply@bonefishsoftware.com</code> require the domain to be verified in SES. This involves adding three DKIM CNAME records to Route 53:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws sesv2 create-email-identity <span class="se">\</span> <span class="nt">--email-identity</span> bonefishsoftware.com <span class="se">\</span> <span class="nt">--region</span> us-west-2 <span class="c"># → returns 3 DKIM tokens</span> <span class="c"># Add CNAME records: &lt;token&gt;._domainkey.bonefishsoftware.com → &lt;token&gt;.dkim.amazonses.com</span> </code></pre> </div> <p>DKIM signing tells receiving mail servers that the email genuinely came from our domain, improving deliverability and preventing spoofing.</p> <h3> Sandbox mode </h3> <p>By default, SES operates in <strong>sandbox mode</strong> — you can only send to verified email addresses. This is sufficient for the contact form (we only send TO <code>josh.blair@gmail.com</code>, which is verified). The submitter's email address appears only in the <code>Reply-To</code> header and the email body — never as a direct recipient.</p> <p>SES production access (removing sandbox restrictions) was requested via:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws sesv2 put-account-details <span class="se">\</span> <span class="nt">--mail-type</span> TRANSACTIONAL <span class="se">\</span> <span class="nt">--website-url</span> https://bonefishsoftware.com <span class="se">\</span> <span class="nt">--use-case-description</span> <span class="s2">"..."</span> <span class="se">\</span> <span class="nt">--production-access-enabled</span> </code></pre> </div> <h3> Reply-To header </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">ses</span><span class="p">.</span><span class="nf">send_email</span><span class="p">(</span> <span class="n">Source</span><span class="o">=</span><span class="n">FROM_ADDRESS</span><span class="p">,</span> <span class="c1"># noreply@bonefishsoftware.com </span> <span class="n">Destination</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">ToAddresses</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="n">TO_ADDRESS</span><span class="p">]},</span> <span class="c1"># josh.blair@gmail.com </span> <span class="n">Message</span><span class="o">=</span><span class="p">{...},</span> <span class="n">ReplyToAddresses</span><span class="o">=</span><span class="p">[</span><span class="n">email</span><span class="p">],</span> <span class="c1"># submitter's email </span><span class="p">)</span> </code></pre> </div> <p>Setting <code>ReplyToAddresses</code> to the submitter's email means hitting "Reply" in gmail automatically addresses the response to the client — no copy-pasting required.</p> <h2> CORS Configuration </h2> <p>CORS is configured at the API Gateway level (not in the Lambda response), via the <code>AWS::Serverless::HttpApi</code> resource:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">ContactApi</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Serverless::HttpApi</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">CorsConfiguration</span><span class="pi">:</span> <span class="na">AllowOrigins</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://bonefishsoftware.com</span> <span class="pi">-</span> <span class="s">http://localhost:5173</span> <span class="c1"># local dev</span> <span class="na">AllowHeaders</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Content-Type</span> <span class="na">AllowMethods</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">POST</span> <span class="pi">-</span> <span class="s">OPTIONS</span> <span class="na">MaxAge</span><span class="pi">:</span> <span class="m">300</span> </code></pre> </div> <p>The Lambda still returns <code>Access-Control-Allow-Origin</code> headers in its response (for safety), but API Gateway handles the OPTIONS preflight response automatically.</p> <p><strong>Lesson learned:</strong> An early version used <code>AWS::ApiGatewayV2::Api</code> instead of <code>AWS::Serverless::HttpApi</code>. The CORS configuration was present but the routes were never created — resulting in 404 responses and CORS errors in the browser. Switching to <code>AWS::Serverless::HttpApi</code> resolved both issues simultaneously.</p> <h2> Frontend Integration </h2> <p>The contact form in React fetches the API URL from a Vite environment variable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// src/pages/Contact.tsx</span> <span class="kd">const</span> <span class="nx">apiUrl</span> <span class="o">=</span> <span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">VITE_CONTACT_API_URL</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handleSubmit</span><span class="p">(</span><span class="nx">e</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">FormEvent</span><span class="p">)</span> <span class="p">{</span> <span class="nx">e</span><span class="p">.</span><span class="nf">preventDefault</span><span class="p">();</span> <span class="nf">setStatus</span><span class="p">(</span><span class="dl">'</span><span class="s1">submitting</span><span class="dl">'</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">apiUrl</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">form</span><span class="p">),</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">res</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Request failed</span><span class="dl">'</span><span class="p">);</span> <span class="nf">setStatus</span><span class="p">(</span><span class="dl">'</span><span class="s1">success</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="nf">setStatus</span><span class="p">(</span><span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><code>VITE_CONTACT_API_URL</code> is injected at build time by CodeBuild as an environment variable. Vite replaces <code>import.meta.env.VITE_*</code> references with literal string values during the build — there's no runtime environment lookup.</p> <h2> SAM Deployment </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>sam deploy <span class="se">\</span> <span class="nt">--template-file</span> infra/stacks/contact-api.yml <span class="se">\</span> <span class="nt">--stack-name</span> bonefish-contact-api <span class="se">\</span> <span class="nt">--region</span> us-west-2 <span class="se">\</span> <span class="nt">--capabilities</span> CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND <span class="se">\</span> <span class="nt">--s3-bucket</span> bonefish-pipeline-artifacts-709085484102 <span class="se">\</span> <span class="nt">--s3-prefix</span> sam-contact <span class="se">\</span> <span class="nt">--no-confirm-changeset</span> </code></pre> </div> <p><code>CAPABILITY_AUTO_EXPAND</code> is required when the template uses <code>Transform: AWS::Serverless-2016-10-31</code>. This tells CloudFormation to expand SAM macros before processing the template.</p> <p>SAM packages the Lambda code (zips <code>lambda/contact/</code>), uploads to the artifacts S3 bucket, and replaces the local <code>CodeUri</code> path with the S3 URL in the transformed template — all automatically.</p> <h2> Cost Analysis </h2> <p>At typical consulting site traffic:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>Usage</th> <th>Estimated cost</th> </tr> </thead> <tbody> <tr> <td>API Gateway HTTP API</td> <td>100 requests/month</td> <td>$0.001</td> </tr> <tr> <td>Lambda</td> <td>100 invocations × 128MB × 500ms</td> <td>&lt; $0.01</td> </tr> <tr> <td>DynamoDB</td> <td>100 writes, PAY_PER_REQUEST</td> <td>&lt; $0.01</td> </tr> <tr> <td>SES</td> <td>100 emails</td> <td>$0.01</td> </tr> <tr> <td><strong>Total</strong></td> <td></td> <td><strong>&lt; $0.05/month</strong></td> </tr> </tbody> </table></div> <p>The entire contact form backend costs pennies per month.</p> aws serverless python tutorial CI/CD with AWS CodePipeline and CodeBuild Josh Blair Wed, 20 May 2026 22:07:31 +0000 https://dev.to/josh_blair/cicd-with-aws-codepipeline-and-codebuild-de7 https://dev.to/josh_blair/cicd-with-aws-codepipeline-and-codebuild-de7 <h2> Overview </h2> <p>Every push to the <code>main</code> branch on GitHub automatically builds the React app and deploys it to S3 + CloudFront — zero manual steps. This article covers how that pipeline is wired together using AWS CodePipeline, CodeBuild, and GitHub via CodeStar Connections.</p> <h2> Pipeline Flow </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0hz9ido25k6apybbj4nu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0hz9ido25k6apybbj4nu.png" alt="CI/CD pipeline" width="800" height="344"></a></p> <h2> CloudFormation Stack </h2> <p>The pipeline infrastructure is defined in <code>infra/stacks/pipeline.yml</code>.</p> <h3> CodeStar Connection (GitHub App) </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">GitHubConnection</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CodeStarConnections::Connection</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ConnectionName</span><span class="pi">:</span> <span class="s">bonefish-github</span> <span class="na">ProviderType</span><span class="pi">:</span> <span class="s">GitHub</span> </code></pre> </div> <blockquote> <p><strong>Manual step required:</strong> After deploying the stack, you must go to <strong>AWS Console → CodePipeline → Settings → Connections</strong> and click "Update pending connection" to authorize the GitHub App. This cannot be automated — AWS requires explicit human approval to grant access to your GitHub account.</p> </blockquote> <p>When authorizing, install the <strong>AWS Connector for GitHub</strong> app on your GitHub account and grant it access to the specific repository. "Connect as a GitHub user" only works for CodeBuild — CodePipeline requires the GitHub App.</p> <h3> Artifact Bucket </h3> <p>Intermediate pipeline artifacts (source zip, build output) are stored in a private S3 bucket:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">ArtifactBucket</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::S3::Bucket</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">BucketName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">bonefish-pipeline-artifacts-${AWS::AccountId}'</span> <span class="na">VersioningConfiguration</span><span class="pi">:</span> <span class="na">Status</span><span class="pi">:</span> <span class="s">Enabled</span> <span class="na">PublicAccessBlockConfiguration</span><span class="pi">:</span> <span class="na">BlockPublicAcls</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">BlockPublicPolicy</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">IgnorePublicAcls</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">RestrictPublicBuckets</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <h3> CodeBuild Project </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">BuildProject</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CodeBuild::Project</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">bonefish-build</span> <span class="na">ServiceRole</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">CodeBuildRole.Arn</span> <span class="na">Artifacts</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">CODEPIPELINE</span> <span class="na">Environment</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">LINUX_CONTAINER</span> <span class="na">ComputeType</span><span class="pi">:</span> <span class="s">BUILD_GENERAL1_SMALL</span> <span class="na">Image</span><span class="pi">:</span> <span class="s">aws/codebuild/standard:7.0</span> <span class="na">EnvironmentVariables</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">S3_BUCKET</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">S3BucketName</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">DISTRIBUTION_ID</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">DistributionId</span> <span class="na">Source</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">CODEPIPELINE</span> <span class="na">BuildSpec</span><span class="pi">:</span> <span class="s">buildspec.yml</span> </code></pre> </div> <h3> CodePipeline </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Pipeline</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CodePipeline::Pipeline</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">bonefish-website-pipeline</span> <span class="na">RoleArn</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">PipelineRole.Arn</span> <span class="na">PipelineType</span><span class="pi">:</span> <span class="s">V2</span> <span class="na">Stages</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">Source</span> <span class="na">Actions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">GitHub</span> <span class="na">ActionTypeId</span><span class="pi">:</span> <span class="na">Category</span><span class="pi">:</span> <span class="s">Source</span> <span class="na">Owner</span><span class="pi">:</span> <span class="s">AWS</span> <span class="na">Provider</span><span class="pi">:</span> <span class="s">CodeStarSourceConnection</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1'</span> <span class="na">Configuration</span><span class="pi">:</span> <span class="na">ConnectionArn</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">GitHubConnection</span> <span class="na">FullRepositoryId</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">${GitHubOwner}/${GitHubRepo}'</span> <span class="na">BranchName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">GitHubBranch</span> <span class="na">DetectChanges</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">OutputArtifacts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">SourceArtifact</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">Build</span> <span class="na">Actions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">BuildAndDeploy</span> <span class="na">ActionTypeId</span><span class="pi">:</span> <span class="na">Category</span><span class="pi">:</span> <span class="s">Build</span> <span class="na">Owner</span><span class="pi">:</span> <span class="s">AWS</span> <span class="na">Provider</span><span class="pi">:</span> <span class="s">CodeBuild</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1'</span> <span class="na">Configuration</span><span class="pi">:</span> <span class="na">ProjectName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">BuildProject</span> <span class="na">InputArtifacts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">SourceArtifact</span> </code></pre> </div> <p><code>DetectChanges: true</code> means CodePipeline automatically triggers on every push to the configured branch — no webhooks to configure manually.</p> <h2> IAM Roles </h2> <p>Two IAM roles are needed: one for CodePipeline, one for CodeBuild.</p> <h3> CodePipeline Role </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">PipelineRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="s">codepipeline.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="s">sts:AssumeRole</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">PipelinePolicy</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s">ArtifactBucket</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">s3</span><span class="pi">:</span><span class="nv">GetObject</span><span class="pi">,</span> <span class="nv">s3</span><span class="pi">:</span><span class="nv">PutObject</span><span class="pi">,</span> <span class="nv">s3</span><span class="pi">:</span><span class="nv">GetObjectVersion</span><span class="pi">,</span> <span class="nv">s3</span><span class="pi">:</span><span class="nv">GetBucketVersioning</span><span class="pi">]</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">[</span><span class="kt">!Sub</span> <span class="s1">'</span><span class="s">${ArtifactBucket.Arn}'</span><span class="pi">,</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">${ArtifactBucket.Arn}/*'</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s">CodeBuild</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">codebuild</span><span class="pi">:</span><span class="nv">BatchGetBuilds</span><span class="pi">,</span> <span class="nv">codebuild</span><span class="pi">:</span><span class="nv">StartBuild</span><span class="pi">]</span> <span class="na">Resource</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">BuildProject.Arn</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s">CodeStarConnection</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">codestar-connections</span><span class="pi">:</span><span class="nv">UseConnection</span><span class="pi">]</span> <span class="na">Resource</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">GitHubConnection</span> </code></pre> </div> <h3> CodeBuild Role </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">CodeBuildRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="s">codebuild.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="s">sts:AssumeRole</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">CodeBuildPolicy</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s">Logs</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">logs</span><span class="pi">:</span><span class="nv">CreateLogGroup</span><span class="pi">,</span> <span class="nv">logs</span><span class="pi">:</span><span class="nv">CreateLogStream</span><span class="pi">,</span> <span class="nv">logs</span><span class="pi">:</span><span class="nv">PutLogEvents</span><span class="pi">]</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s">ArtifactBucket</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">s3</span><span class="pi">:</span><span class="nv">GetObject</span><span class="pi">,</span> <span class="nv">s3</span><span class="pi">:</span><span class="nv">PutObject</span><span class="pi">,</span> <span class="nv">s3</span><span class="pi">:</span><span class="nv">GetObjectVersion</span><span class="pi">]</span> <span class="na">Resource</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">${ArtifactBucket.Arn}/*'</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s">WebsiteSync</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">s3</span><span class="pi">:</span><span class="nv">PutObject</span><span class="pi">,</span> <span class="nv">s3</span><span class="pi">:</span><span class="nv">DeleteObject</span><span class="pi">,</span> <span class="nv">s3</span><span class="pi">:</span><span class="nv">GetObject</span><span class="pi">,</span> <span class="nv">s3</span><span class="pi">:</span><span class="nv">ListBucket</span><span class="pi">]</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">arn:aws:s3:::${S3BucketName}'</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">arn:aws:s3:::${S3BucketName}/*'</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s">CloudFrontInvalidation</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">cloudfront</span><span class="pi">:</span><span class="nv">CreateInvalidation</span><span class="pi">]</span> <span class="na">Resource</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">arn:aws:cloudfront::${AWS::AccountId}:distribution/${DistributionId}'</span> </code></pre> </div> <p>Principle of least privilege — CodeBuild can only write to the specific S3 bucket and invalidate the specific CloudFront distribution.</p> <h2> buildspec.yml </h2> <p>The build specification lives in the repo root and tells CodeBuild exactly what to do:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="m">0.2</span> <span class="na">env</span><span class="pi">:</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">VITE_CONTACT_API_URL</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="c1"># overridden by CodeBuild project env var</span> <span class="na">phases</span><span class="pi">:</span> <span class="na">install</span><span class="pi">:</span> <span class="na">runtime-versions</span><span class="pi">:</span> <span class="na">nodejs</span><span class="pi">:</span> <span class="m">20</span> <span class="na">commands</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">npm ci</span> <span class="na">build</span><span class="pi">:</span> <span class="na">commands</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">npm run build</span> <span class="na">post_build</span><span class="pi">:</span> <span class="na">commands</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">aws s3 sync dist/ s3://$S3_BUCKET --delete</span> <span class="pi">-</span> <span class="s">aws cloudfront create-invalidation --distribution-id $DISTRIBUTION_ID --paths "/*"</span> </code></pre> </div> <h3> Key points </h3> <p><strong><code>npm ci</code> not <code>npm install</code></strong><br><br> <code>npm ci</code> installs exactly what's in <code>package-lock.json</code> and fails if there are any discrepancies. This ensures deterministic builds — the same packages every time, in every environment.</p> <p><strong><code>--delete</code> flag on s3 sync</strong><br><br> Removes files from S3 that no longer exist in the build output. Without this, deleted pages or renamed assets would stay in S3 forever and get served to users.</p> <p><strong>CloudFront invalidation</strong><br><br> Vite includes content hashes in asset filenames (<code>index-BX7FeaXh.js</code>), so JS/CSS files are automatically cache-busted. However, <code>index.html</code> itself doesn't have a hash — it must be explicitly invalidated so CloudFront fetches the new version immediately.</p> <p><strong><code>VITE_CONTACT_API_URL</code> env var</strong><br><br> Vite's <code>import.meta.env.VITE_*</code> variables are replaced at build time (not runtime). The API Gateway URL is injected by CodeBuild as an environment variable and baked into the built JS bundle. This means the frontend always has the correct endpoint URL without any runtime configuration.</p> <h2> Troubleshooting the GitHub Connection </h2> <p>The CodeStar Connection requires careful setup. Common issues encountered:</p> <p><strong>Status: PENDING after stack deploy</strong><br><br> Expected. You must visit the AWS Console to authorize it. Cannot be done via CLI.</p> <p><strong>"No Branch found" error</strong><br><br> The GitHub App was authorized but the private repository wasn't explicitly granted access. Fix: GitHub → Settings → Applications → AWS Connector for GitHub → Configure → add the repo.</p> <p><strong>"Role does not have sufficient permissions" error</strong><br><br> After replacing a broken connection with a new one, the CodePipeline IAM role policy still referenced the old connection ARN. Fix: update the <code>codestar-connections:UseConnection</code> resource ARN in the IAM policy to match the new connection ARN.</p> <h2> Deployment Timeline </h2> <p>From <code>git push</code> to live site:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Phase</th> <th>Duration</th> </tr> </thead> <tbody> <tr> <td>CodePipeline detects change</td> <td>~10 seconds</td> </tr> <tr> <td>Source download from GitHub</td> <td>~15 seconds</td> </tr> <tr> <td> <code>npm ci</code> (cache warm)</td> <td>~30 seconds</td> </tr> <tr> <td> <code>npm run build</code> (tsc + vite)</td> <td>~15 seconds</td> </tr> <tr> <td><code>aws s3 sync</code></td> <td>~10 seconds</td> </tr> <tr> <td>CloudFront invalidation</td> <td>~10 seconds</td> </tr> <tr> <td><strong>Total</strong></td> <td><strong>~90 seconds</strong></td> </tr> </tbody> </table></div> <p>Full deployment in under two minutes on every push to main.</p> aws devops tutorial cicd Static Site Hosting on AWS — S3, CloudFront, ACM, and Route 53 Josh Blair Wed, 20 May 2026 22:07:27 +0000 https://dev.to/josh_blair/static-site-hosting-on-aws-s3-cloudfront-acm-and-route-53-4699 https://dev.to/josh_blair/static-site-hosting-on-aws-s3-cloudfront-acm-and-route-53-4699 <h2> Overview </h2> <p>This article covers deploying a static React site to AWS using S3 as the origin, CloudFront as the CDN, ACM for TLS certificates, and Route 53 for DNS. Everything is defined as CloudFormation infrastructure-as-code.</p> <h2> Architecture </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8v63mlwmlkxu22f9tejt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8v63mlwmlkxu22f9tejt.png" alt="Static hosting architecture" width="800" height="575"></a></p> <h2> CloudFormation Infrastructure </h2> <p>The hosting infrastructure is split across <strong>three stacks</strong> deployed in sequence:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Stack</th> <th>File</th> <th>Region</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>bonefish-acm</code></td> <td><code>infra/acm/certificate.yml</code></td> <td><strong>us-east-1</strong></td> <td>ACM TLS certificate</td> </tr> <tr> <td><code>bonefish-website</code></td> <td><code>infra/stacks/website.yml</code></td> <td>us-west-2</td> <td>S3 + CloudFront</td> </tr> <tr> <td><code>bonefish-pipeline</code></td> <td><code>infra/stacks/pipeline.yml</code></td> <td>us-west-2</td> <td>CI/CD (covered in article 4)</td> </tr> </tbody> </table></div> <h2> ACM Certificate (us-east-1) </h2> <blockquote> <p><strong>Why us-east-1?</strong> CloudFront is a global service that only accepts ACM certificates provisioned in <code>us-east-1</code>. This is an AWS requirement regardless of where your other resources live.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># infra/acm/certificate.yml</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">Certificate</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CertificateManager::Certificate</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">DomainName</span><span class="pi">:</span> <span class="s">bonefishsoftware.com</span> <span class="na">SubjectAlternativeNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">www.bonefishsoftware.com</span> <span class="na">ValidationMethod</span><span class="pi">:</span> <span class="s">DNS</span> </code></pre> </div> <p><strong>DNS validation:</strong> ACM generates two CNAME records that must be added to your DNS zone. Because the domain is managed by Route 53, we added these via CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws route53 change-resource-record-sets <span class="se">\</span> <span class="nt">--hosted-zone-id</span> <span class="nv">$ZONE_ID</span> <span class="se">\</span> <span class="nt">--change-batch</span> <span class="s1">'{ "Changes": [ { "Action": "UPSERT", "ResourceRecordSet": { "Name": "_bf48ff...bonefishsoftware.com.", "Type": "CNAME", "TTL": 300, "ResourceRecords": [{"Value": "_ea68....acm-validations.aws."}] }} ]}'</span> </code></pre> </div> <p>Once the domain's nameservers resolve correctly, ACM validates automatically (typically 2–5 minutes).</p> <h2> S3 Bucket </h2> <p>The S3 bucket is <strong>private</strong> — no public access whatsoever. CloudFront accesses it via OAC (Origin Access Control).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">WebsiteBucket</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::S3::Bucket</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">BucketName</span><span class="pi">:</span> <span class="s">bonefishsoftware-com-website</span> <span class="na">VersioningConfiguration</span><span class="pi">:</span> <span class="na">Status</span><span class="pi">:</span> <span class="s">Enabled</span> <span class="na">PublicAccessBlockConfiguration</span><span class="pi">:</span> <span class="na">BlockPublicAcls</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">BlockPublicPolicy</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">IgnorePublicAcls</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">RestrictPublicBuckets</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <h3> Bucket Policy — allow CloudFront OAC only </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">WebsiteBucketPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::S3::BucketPolicy</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Bucket</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">WebsiteBucket</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="s">cloudfront.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="s">s3:GetObject</span> <span class="na">Resource</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">${WebsiteBucket.Arn}/*'</span> <span class="na">Condition</span><span class="pi">:</span> <span class="na">StringEquals</span><span class="pi">:</span> <span class="na">AWS:SourceArn</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="pi">&gt;-</span> <span class="s">arn:aws:cloudfront::${AWS::AccountId}:distribution/${Distribution}</span> </code></pre> </div> <p>The <code>AWS:SourceArn</code> condition means only our specific CloudFront distribution can read from this bucket — not any other CloudFront distribution in any AWS account.</p> <h2> Origin Access Control (OAC) </h2> <p>OAC is the modern replacement for Origin Access Identity (OAI). Key advantages:</p> <ul> <li>Supports all S3 API operations</li> <li>Works with SSE-KMS encrypted buckets</li> <li>Uses AWS SigV4 request signing (more secure) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">OriginAccessControl</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CloudFront::OriginAccessControl</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">OriginAccessControlConfig</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">bonefishsoftware-com-oac</span> <span class="na">OriginAccessControlOriginType</span><span class="pi">:</span> <span class="s">s3</span> <span class="na">SigningBehavior</span><span class="pi">:</span> <span class="s">always</span> <span class="na">SigningProtocol</span><span class="pi">:</span> <span class="s">sigv4</span> </code></pre> </div> <h2> CloudFront Distribution </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Distribution</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CloudFront::Distribution</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">DistributionConfig</span><span class="pi">:</span> <span class="na">Enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">DefaultRootObject</span><span class="pi">:</span> <span class="s">index.html</span> <span class="na">Aliases</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">bonefishsoftware.com</span> <span class="pi">-</span> <span class="s">www.bonefishsoftware.com</span> <span class="na">ViewerCertificate</span><span class="pi">:</span> <span class="na">AcmCertificateArn</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">CertificateArn</span> <span class="na">SslSupportMethod</span><span class="pi">:</span> <span class="s">sni-only</span> <span class="na">MinimumProtocolVersion</span><span class="pi">:</span> <span class="s">TLSv1.2_2021</span> <span class="na">HttpVersion</span><span class="pi">:</span> <span class="s">http2and3</span> <span class="na">Origins</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Id</span><span class="pi">:</span> <span class="s">S3Origin</span> <span class="na">DomainName</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">WebsiteBucket.RegionalDomainName</span> <span class="na">S3OriginConfig</span><span class="pi">:</span> <span class="na">OriginAccessIdentity</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="na">OriginAccessControlId</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">OriginAccessControl.Id</span> <span class="na">DefaultCacheBehavior</span><span class="pi">:</span> <span class="na">TargetOriginId</span><span class="pi">:</span> <span class="s">S3Origin</span> <span class="na">ViewerProtocolPolicy</span><span class="pi">:</span> <span class="s">redirect-to-https</span> <span class="na">CachePolicyId</span><span class="pi">:</span> <span class="s">658327ea-f89d-4fab-a63d-7e88639e58f6</span> <span class="c1"># CachingOptimized</span> <span class="na">Compress</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">CustomErrorResponses</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ErrorCode</span><span class="pi">:</span> <span class="m">403</span> <span class="na">ResponseCode</span><span class="pi">:</span> <span class="m">200</span> <span class="na">ResponsePagePath</span><span class="pi">:</span> <span class="s">/index.html</span> <span class="na">ErrorCachingMinTTL</span><span class="pi">:</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">ErrorCode</span><span class="pi">:</span> <span class="m">404</span> <span class="na">ResponseCode</span><span class="pi">:</span> <span class="m">200</span> <span class="na">ResponsePagePath</span><span class="pi">:</span> <span class="s">/index.html</span> <span class="na">ErrorCachingMinTTL</span><span class="pi">:</span> <span class="m">0</span> <span class="na">PriceClass</span><span class="pi">:</span> <span class="s">PriceClass_100</span> </code></pre> </div> <h3> Key configuration points </h3> <p><strong><code>RegionalDomainName</code> not <code>DomainName</code></strong><br><br> Always use <code>WebsiteBucket.RegionalDomainName</code> (e.g. <code>bucket.s3.us-west-2.amazonaws.com</code>) when configuring an S3 origin with OAC. Using the global <code>DomainName</code> can cause redirect loops.</p> <p><strong><code>PriceClass_100</code></strong><br><br> CloudFront price classes control which edge locations serve your content. <code>PriceClass_100</code> covers North America and Europe — the right choice for most US-based businesses. <code>PriceClass_All</code> includes Asia/Pacific/South America but costs more.</p> <p><strong><code>http2and3</code></strong><br><br> Enables HTTP/2 and HTTP/3 (QUIC) — better performance for browsers that support it.</p> <h2> Route 53 DNS Setup </h2> <p>Since the domain is registered in Route 53, nameservers were updated via CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws route53domains update-domain-nameservers <span class="se">\</span> <span class="nt">--domain-name</span> bonefishsoftware.com <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--nameservers</span> <span class="se">\</span> <span class="nv">Name</span><span class="o">=</span>ns-1325.awsdns-37.org <span class="se">\</span> <span class="nv">Name</span><span class="o">=</span>ns-759.awsdns-30.net <span class="se">\</span> <span class="nv">Name</span><span class="o">=</span>ns-1601.awsdns-08.co.uk <span class="se">\</span> <span class="nv">Name</span><span class="o">=</span>ns-72.awsdns-09.com </code></pre> </div> <p>Two <strong>Alias records</strong> point the apex domain and <code>www</code> to CloudFront:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws route53 change-resource-record-sets <span class="se">\</span> <span class="nt">--hosted-zone-id</span> <span class="nv">$ZONE_ID</span> <span class="se">\</span> <span class="nt">--change-batch</span> <span class="s1">'{ "Changes": [{ "Action": "UPSERT", "ResourceRecordSet": { "Name": "bonefishsoftware.com", "Type": "A", "AliasTarget": { "HostedZoneId": "Z2FDTNDATAQYW2", "DNSName": "d39qxh6q0wxdkd.cloudfront.net", "EvaluateTargetHealth": false } } }] }'</span> </code></pre> </div> <blockquote> <p><strong><code>Z2FDTNDATAQYW2</code></strong> is the fixed Hosted Zone ID for all CloudFront distributions — not specific to yours. Always use this value for CloudFront A alias records.</p> </blockquote> <h2> Deployment Order </h2> <p>The order matters because each stack depends on outputs from the previous:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Create Route 53 hosted zone → Get nameservers, update domain registrar 2. Deploy ACM certificate stack (us-east-1) → Add DNS validation CNAMEs to Route 53 → Wait for ISSUED status (~2–5 min once DNS propagates) 3. Deploy website stack (us-west-2) → Pass CertificateArn as parameter → Outputs: BucketName, DistributionId, DistributionDomain 4. Deploy pipeline stack (us-west-2) → Pass BucketName + DistributionId from step 3 </code></pre> </div> <h2> Gradual Cutover Strategy </h2> <p>Rather than blocking on the ACM cert, the <code>website.yml</code> template supports deploying <strong>without a cert</strong> first:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Parameters</span><span class="pi">:</span> <span class="na">CertificateArn</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="c1"># ← Leave blank for initial deploy</span> <span class="na">Conditions</span><span class="pi">:</span> <span class="na">HasCustomDomain</span><span class="pi">:</span> <span class="kt">!And</span> <span class="pi">-</span> <span class="kt">!Not</span> <span class="pi">[</span><span class="kt">!Equals</span> <span class="pi">[</span><span class="kt">!Ref</span> <span class="nv">CertificateArn</span><span class="pi">,</span> <span class="s1">'</span><span class="s">'</span><span class="pi">]]</span> <span class="pi">-</span> <span class="kt">!Not</span> <span class="pi">[</span><span class="kt">!Equals</span> <span class="pi">[</span><span class="kt">!Ref</span> <span class="nv">DomainName</span><span class="pi">,</span> <span class="s1">'</span><span class="s">'</span><span class="pi">]]</span> </code></pre> </div> <p>This lets you deploy the full CloudFront + S3 stack immediately, get the CloudFront URL (<code>*.cloudfront.net</code>), test it, and then <strong>update the stack</strong> with the cert ARN once it's issued — no downtime, no waiting.</p> <h2> SES DKIM Records </h2> <p>For outbound email from <code>noreply@bonefishsoftware.com</code>, three DKIM CNAME records were added to Route 53:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>jbly6mlsiqbi6h7rnnfthdfkiaxzmvjn._domainkey.bonefishsoftware.com → jbly6mlsiqbi6h7rnnfthdfkiaxzmvjn.dkim.amazonses.com xj7cx3tujwzexkmsxmfruyannxq3sevj._domainkey.bonefishsoftware.com → xj7cx3tujwzexkmsxmfruyannxq3sevj.dkim.amazonses.com fyee6qf6o4fzqiolzxl2dyd4rjboqw4l._domainkey.bonefishsoftware.com → fyee6qf6o4fzqiolzxl2dyd4rjboqw4l.dkim.amazonses.com </code></pre> </div> <p>These allow SES to cryptographically sign outbound emails, which improves deliverability and prevents spoofing.</p> aws cloudfront tutorial webdev React + Vite + TypeScript + Tailwind CSS v4 — Project Setup Josh Blair Wed, 20 May 2026 22:07:24 +0000 https://dev.to/josh_blair/react-vite-typescript-tailwind-css-v4-project-setup-3ckc https://dev.to/josh_blair/react-vite-typescript-tailwind-css-v4-project-setup-3ckc <h2> Overview </h2> <p>This article covers scaffolding a production-ready React single-page application using Vite, TypeScript, and Tailwind CSS v4. This is the frontend that gets built into static assets and served from S3 + CloudFront.</p> <h2> Tech Choices </h2> <h3> Vite over Create React App </h3> <p>CRA is deprecated. Vite is the modern standard — it uses native ES modules for near-instant dev server startup and produces an optimized production build via Rollup.</p> <h3> TypeScript </h3> <p>Type safety catches bugs at compile time instead of runtime. The CloudFormation templates and the site itself are both infra-as-code; TypeScript gives the same discipline on the frontend.</p> <h3> Tailwind CSS v4 </h3> <p>Tailwind v4 (released 2024) is a ground-up rewrite. Key changes from v3:</p> <ul> <li> <strong>No <code>tailwind.config.js</code></strong> — theme customization moves into CSS via <code>@theme</code> in your stylesheet</li> <li> <strong>No PostCSS config file</strong> — use the <code>@tailwindcss/vite</code> Vite plugin instead</li> <li> <strong>CSS-first configuration</strong> — design tokens are CSS custom properties</li> </ul> <h2> Scaffolding </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create project with react-ts template</span> npm create vite@latest <span class="nb">.</span> <span class="nt">--</span> <span class="nt">--template</span> react-ts <span class="c"># Install routing and Tailwind</span> npm <span class="nb">install </span>react-router-dom npm <span class="nb">install</span> <span class="nt">-D</span> tailwindcss @tailwindcss/vite </code></pre> </div> <h3> vite.config.ts </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">defineConfig</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">vite</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">react</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@vitejs/plugin-react</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">tailwindcss</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@tailwindcss/vite</span><span class="dl">'</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">defineConfig</span><span class="p">({</span> <span class="na">plugins</span><span class="p">:</span> <span class="p">[</span><span class="nf">react</span><span class="p">(),</span> <span class="nf">tailwindcss</span><span class="p">()],</span> <span class="p">})</span> </code></pre> </div> <p>The <code>@tailwindcss/vite</code> plugin replaces the old PostCSS setup. No <code>postcss.config.js</code> needed.</p> <h3> src/index.css </h3> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="c">/* Google Fonts import MUST come before @import "tailwindcss" */</span> <span class="k">@import</span> <span class="sx">url('https://fonts.googleapis.com/css2?family=Space+Grotesk:wght@300;400;500;600;700&amp;display=swap')</span><span class="p">;</span> <span class="k">@import</span> <span class="s1">"tailwindcss"</span><span class="p">;</span> <span class="c">/* Custom design tokens via @theme (Tailwind v4 CSS-first config) */</span> <span class="k">@theme</span> <span class="p">{</span> <span class="py">--color-bg</span><span class="p">:</span> <span class="m">#111318</span><span class="p">;</span> <span class="py">--color-surface</span><span class="p">:</span> <span class="m">#1C2028</span><span class="p">;</span> <span class="py">--color-accent</span><span class="p">:</span> <span class="m">#00D4FF</span><span class="p">;</span> <span class="py">--color-text</span><span class="p">:</span> <span class="m">#F0F4F8</span><span class="p">;</span> <span class="py">--color-text-muted</span><span class="p">:</span> <span class="m">#8B95A3</span><span class="p">;</span> <span class="py">--color-border</span><span class="p">:</span> <span class="m">#2A3040</span><span class="p">;</span> <span class="py">--font-sans</span><span class="p">:</span> <span class="s2">'Space Grotesk'</span><span class="p">,</span> <span class="n">system-ui</span><span class="p">,</span> <span class="nb">sans-serif</span><span class="p">;</span> <span class="p">}</span> <span class="nt">body</span> <span class="p">{</span> <span class="nl">background-color</span><span class="p">:</span> <span class="m">#111318</span><span class="p">;</span> <span class="nl">color</span><span class="p">:</span> <span class="m">#F0F4F8</span><span class="p">;</span> <span class="nl">font-family</span><span class="p">:</span> <span class="s2">'Space Grotesk'</span><span class="p">,</span> <span class="n">system-ui</span><span class="p">,</span> <span class="nb">sans-serif</span><span class="p">;</span> <span class="nl">margin</span><span class="p">:</span> <span class="m">0</span><span class="p">;</span> <span class="p">}</span> <span class="nf">#root</span> <span class="p">{</span> <span class="nl">min-height</span><span class="p">:</span> <span class="m">100</span><span class="n">dvh</span><span class="p">;</span> <span class="nl">display</span><span class="p">:</span> <span class="n">flex</span><span class="p">;</span> <span class="nl">flex-direction</span><span class="p">:</span> <span class="n">column</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>Gotcha:</strong> In Tailwind v4, <code>@import "tailwindcss"</code> expands to real CSS. Any <code>@import url(...)</code> (like Google Fonts) <strong>must appear before it</strong> or the browser ignores the font import. This caused a CSS warning in the build until we fixed the order.</p> </blockquote> <h2> Project Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>src/ ├── components/ │ ├── Navbar.tsx # Sticky nav, mobile hamburger, active link highlighting │ ├── Footer.tsx # Logo, nav links, LinkedIn + GitHub icons │ └── SectionHeader.tsx # Reusable section heading (title + subtitle) ├── pages/ │ ├── Home.tsx # Hero, featured services, cert strip, CTA banner │ ├── Services.tsx # Full 6-card service grid │ ├── Technologies.tsx # Grouped tech badges + certifications │ ├── Portfolio.tsx # Placeholder project cards │ ├── Team.tsx # Bio card with photo, certs, social links │ └── Contact.tsx # Form → API Gateway fetch ├── data/ │ ├── services.ts # Service card data (title, description, icon) │ ├── technologies.ts # Tech groups + certifications │ └── team.ts # Team member data ├── App.tsx # BrowserRouter + route config ├── main.tsx # React DOM root └── index.css # Global styles + Tailwind v4 config </code></pre> </div> <h3> Data-driven content </h3> <p>Rather than hardcoding content in page components, all repeated content lives in typed data files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/data/services.ts</span> <span class="k">export</span> <span class="kr">interface</span> <span class="nx">Service</span> <span class="p">{</span> <span class="nl">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">title</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">description</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">icon</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">services</span><span class="p">:</span> <span class="nx">Service</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">eda-serverless</span><span class="dl">'</span><span class="p">,</span> <span class="na">title</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Event-Driven Architecture &amp; Serverless</span><span class="dl">'</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Architect decoupled, resilient systems using SQS, SNS, EventBridge, and Lambda...</span><span class="dl">'</span><span class="p">,</span> <span class="na">icon</span><span class="p">:</span> <span class="dl">'</span><span class="s1">⚡</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="c1">// ...</span> <span class="p">];</span> </code></pre> </div> <p>This makes it trivial to add, update, or reorder content without touching component markup.</p> <h2> Routing </h2> <p>React Router v7 handles client-side routing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// src/App.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">BrowserRouter</span> <span class="k">as</span> <span class="nx">Router</span><span class="p">,</span> <span class="nx">Routes</span><span class="p">,</span> <span class="nx">Route</span><span class="p">,</span> <span class="nx">Navigate</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-router-dom</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">App</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nc">Router</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Navbar</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nc">Routes</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Route</span> <span class="na">path</span><span class="p">=</span><span class="s">"/"</span> <span class="na">element</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">Home</span> <span class="p">/&gt;</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nc">Route</span> <span class="na">path</span><span class="p">=</span><span class="s">"/services"</span> <span class="na">element</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">Services</span> <span class="p">/&gt;</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nc">Route</span> <span class="na">path</span><span class="p">=</span><span class="s">"/technologies"</span> <span class="na">element</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">Technologies</span> <span class="p">/&gt;</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nc">Route</span> <span class="na">path</span><span class="p">=</span><span class="s">"/portfolio"</span> <span class="na">element</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">Portfolio</span> <span class="p">/&gt;</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nc">Route</span> <span class="na">path</span><span class="p">=</span><span class="s">"/team"</span> <span class="na">element</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">Team</span> <span class="p">/&gt;</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nc">Route</span> <span class="na">path</span><span class="p">=</span><span class="s">"/contact"</span> <span class="na">element</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">Contact</span> <span class="p">/&gt;</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nc">Route</span> <span class="na">path</span><span class="p">=</span><span class="s">"*"</span> <span class="na">element</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">Navigate</span> <span class="na">to</span><span class="p">=</span><span class="s">"/"</span> <span class="na">replace</span> <span class="p">/&gt;</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">Routes</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Footer</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">Router</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> SPA Routing on CloudFront </h3> <p>Because React Router handles navigation client-side, all URLs (<code>/services</code>, <code>/team</code>, etc.) point to the same <code>index.html</code>. When a user navigates directly to <code>https://bonefishsoftware.com/team</code>, S3 returns a <strong>403</strong> (key doesn't exist). CloudFront must be configured to map 403 and 404 errors back to <code>index.html</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># In website.yml CloudFormation</span> <span class="na">CustomErrorResponses</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ErrorCode</span><span class="pi">:</span> <span class="m">403</span> <span class="na">ResponseCode</span><span class="pi">:</span> <span class="m">200</span> <span class="na">ResponsePagePath</span><span class="pi">:</span> <span class="s">/index.html</span> <span class="na">ErrorCachingMinTTL</span><span class="pi">:</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">ErrorCode</span><span class="pi">:</span> <span class="m">404</span> <span class="na">ResponseCode</span><span class="pi">:</span> <span class="m">200</span> <span class="na">ResponsePagePath</span><span class="pi">:</span> <span class="s">/index.html</span> <span class="na">ErrorCachingMinTTL</span><span class="pi">:</span> <span class="m">0</span> </code></pre> </div> <p>Without this, refreshing any non-root page returns a CloudFront error page.</p> <h2> Design System </h2> <p><strong>Color palette</strong> (dark charcoal + electric cyan):</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Token</th> <th>Hex</th> <th>Usage</th> </tr> </thead> <tbody> <tr> <td><code>bg</code></td> <td><code>#111318</code></td> <td>Page background</td> </tr> <tr> <td><code>surface</code></td> <td><code>#1C2028</code></td> <td>Cards, panels</td> </tr> <tr> <td><code>surface-2</code></td> <td><code>#232936</code></td> <td>Nested surfaces</td> </tr> <tr> <td><code>accent</code></td> <td><code>#00D4FF</code></td> <td>Cyan highlights, links, active states</td> </tr> <tr> <td><code>text</code></td> <td><code>#F0F4F8</code></td> <td>Primary text</td> </tr> <tr> <td><code>text-muted</code></td> <td><code>#8B95A3</code></td> <td>Secondary text, descriptions</td> </tr> <tr> <td><code>border</code></td> <td><code>#2A3040</code></td> <td>Card borders, dividers</td> </tr> </tbody> </table></div> <p><strong>Font:</strong> <a href="https://fonts.google.com/specimen/Space+Grotesk" rel="noopener noreferrer">Space Grotesk</a> — a modern geometric sans-serif that feels technical but approachable.</p> <h2> Logo Integration </h2> <p>The company logo is an SVG with a <strong>transparent background</strong>. The white stripe visible in the logo is part of the Colorado flag design — it's not a background fill.</p> <p>Using the SVG directly in the Navbar (instead of PNG) means:</p> <ul> <li>Zero white-box artifact on the dark background</li> <li>Infinitely scalable — looks sharp at any size</li> <li>Small file size </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// Navbar.tsx</span> <span class="p">&lt;</span><span class="nc">NavLink</span> <span class="na">to</span><span class="p">=</span><span class="s">"/"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">img</span> <span class="na">src</span><span class="p">=</span><span class="s">"/logo.svg"</span> <span class="na">alt</span><span class="p">=</span><span class="s">"Bonefish Software"</span> <span class="na">className</span><span class="p">=</span><span class="s">"h-10 w-auto"</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">NavLink</span><span class="p">&gt;</span> </code></pre> </div> <p>The no-text variant (<code>/logo-icon.svg</code>) is used in the footer where horizontal space is tighter.</p> <h2> Production Build </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run build <span class="c"># → tsc -b &amp;&amp; vite build</span> <span class="c"># → dist/ (index.html + hashed JS/CSS bundles)</span> </code></pre> </div> <p>Build output for this site:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">dist/index.html 0.64 kB │ gzip: 0.39 kB dist/assets/index-[hash].css 22.21 kB │ gzip: 4.91 kB dist/assets/index-[hash].js 257.69 kB │ gzip: 81.09 kB </span></code></pre> </div> <p>The entire site gzips to under <strong>86 kB</strong> — fast on any connection.</p> react webdev vite typescript