I have attached the GitHub Repo link for full code ;)

GitHub - rojansedhai/auto-meme-generator

The internet runs on memes. There’s a strange kind of joy in over-engineering something ridiculous. Memes are ephemeral, low-stakes, and a cultural phenomenum.

So naturally, I decided to build a fully serverless meme-generation pipeline on AWS that can:

• Accept an uploaded image
• Detect objects inside it using AI
• Generate sarcastic meme captions using Gemini AI
• Render the final meme automatically
• Serve everything through a sleek Neobrutalist frontend

And the best part?

The entire stack is provisioned with Terraform and runs without managing a single server.

In this article, I’ll walk you through how to build an Auto Meme Generator using:

• AWS Lambda
• Step Functions
• EventBridge
• DynamoDB
• CloudFront + OAC
• Amazon Rekognition
• Google Gemini AI
• Sharp Image Processing
• Terraform

What We’re Building

Here’s the flow:

1. User uploads an image through a web app
2. Browser uploads directly to S3 using a presigned URL
3. S3 triggers an EventBridge event
4. Step Functions orchestrates the workflow
5. Rekognition analyzes the image
6. Gemini AI creates meme captions
7. Sharp overlays the text onto the image
8. Final meme is stored and returned to the frontend

The result is a fully automated AI meme factory.

Final Architecture

Event-Driven Design

The workflow is triggered entirely through events:

• S3 upload event
• EventBridge rule
• Step Functions orchestration

This creates a clean and loosely coupled system.

AI-Powered Workflow

The app combines:

• Amazon Rekognition for image understanding
• Gemini AI for caption generation

This creates surprisingly funny meme captions with almost zero logic on your side.

Prerequisites

Before starting, make sure you have:

• AWS Account with sufficient permissions
• AWS CLI Configured locally
• Terraform v1.5+
• Node.js v20 or higher LTS
• Gemini API Key (Free tier works fine and You can obtain a Gemini API key from Google AI Studio)

Project Structure

Here’s the recommended layout:

auto-meme-generator/
├── layer/
│   └── nodejs/
│       └── package.json       ← Sharp dependency for the Lambda layer
├── src/
│   ├── analyze/index.mjs      ← Step 1: Rekognition
│   ├── caption/index.mjs      ← Step 2: Gemini AI (Top/Bottom text)
│   ├── compose/               ← Step 3: Sharp image composer
│   │   ├── index.mjs          
│   │   └── fonts/Anton.ttf    ← Embedded meme font
│   ├── status/index.mjs       ← Polling API Endpoint
│   ├── upload/index.mjs       ← Presigned URL API Endpoint
│   └── frontend/index.html    ← The Web UI
└── terraform/
    ├── main.tf                ← S3, DynamoDB, Secrets
    ├── lambda.tf              ← Lambda Provisioning
    ├── iam.tf                 ← Least-Privilege Roles
    ├── sfn.tf                 ← Step Functions
    ├── events.tf              ← EventBridge
    ├── api.tf                 ← API Gateway v2 routes
    ├── cloudfront.tf          ← OAC & CloudFront Distribution
    ├── frontend_sync.tf       ← Auto-syncs frontend code to S3 & Invalidates Cache
    └── outputs.tf             ← Deployment URLs
    └── variables.tf           ← The AWS region to deploy the infrastructure to

Keeping infrastructure and application logic separated makes the project significantly easier to maintain.

Building the Sharp Lambda Layer

The meme composition step uses the Sharp library for image processing.

Because Sharp includes native binaries, it must be compiled for the Lambda Linux runtime.

Create package.json

Inside layer/nodejs/package.json:

{
  "name": "nodejs",
  "version": "1.0.0",
  "dependencies": {
    "sharp": "^0.34.5"
  }
}

Install Linux-Compatible Dependencies

Run:

npm install --platform=linux --arch=x64 --libc=glibc

Zip the Layer

cd ../layer
zip -r ../terraform/sharp_layer.zip nodejs/

This ZIP file becomes the Lambda Layer attached to the compose function.

Upload API Lambda

The first Lambda handles uploads.

Its responsibilities:

• Generate a UUID (memeId)
• Create a presigned S3 PUT URL
• Insert a PENDING record into DynamoDB

This allows the frontend to upload images directly to S3 without exposing AWS credentials.

Status API Lambda

The frontend continuously polls for meme completion.

This Lambda:

• Reads the meme status from DynamoDB
• Returns a presigned GET URL when the meme is complete

This creates a lightweight async workflow without needing WebSockets.

Step Functions Pipeline

This is where the magic happens.

Step 1: Analyze the Image

The Analyze Lambda:

• Extracts the memeId
• Calls Amazon Rekognition
• Detects labels inside the image

Example labels:

[
  "Cat",
  "Laptop",
  "Person"
]

These labels become the context for Gemini AI.

Step 2 : Generate Meme Captions with Gemini

This Lambda:

• Reads the Gemini API key from AWS Secrets Manager
• Sends Rekognition labels to Gemini
• Requests a meme caption in a strict format

Example prompt:

Create a sarcastic meme caption using these labels:
Cat, Laptop, Person

Return:
TOP TEXT|BOTTOM TEXT

Example response:

WORKING FROM HOME|SUPERVISOR DETECTED

Step 3: Compose the Meme

This Lambda handles image rendering using Sharp.

It:

• Downloads the uploaded image
• Loads the Anton.ttf meme font
• Creates SVG overlays
• Places text at the top and bottom
• Uploads the final meme to S3
• Updates DynamoDB status to COMPLETED

This entire process runs inside Lambda in just a few seconds.

Secure Frontend Hosting with CloudFront + OAC

One of the best upgrades in this project is secure frontend hosting.

Instead of making the S3 bucket public:

• CloudFront sits in front
• Origin Access Control (OAC) is enabled
• S3 blocks all public access

This means users can only access content through CloudFront.

Benefits:

• HTTPS by default
• Better caching
• Improved security
• Production-grade architecture

Deploying Everything with Terraform

After your application code is ready:

Install Dependencies

cd src/upload && npm install
cd ../status && npm install

Deploy Infrastructure

cd ../../terraform
terraform init
terraform apply -auto-approve

Terraform provisions:

• S3 Buckets
• Lambda Functions
• IAM Roles
• DynamoDB
• API Gateway
• Step Functions
• EventBridge
• CloudFront Distribution
• Secrets Manager

Automating the Frontend Deployment

In a typical serverless project, you might deploy infrastructure with Terraform and then manually run aws s3 sync to upload your frontend files. Here we want a true "one-command deploy".

To achieve this, we added a frontend_sync.tf configuration that:

1. Uses the aws_s3_object resource with a for_each loop to automatically upload all files from the src/frontend directory to the S3 bucket.
2. Computes the MD5 hash of the frontend files.
3. Uses a null_resource to trigger a local AWS CLI command (aws cloudfront create-invalidation) only when the frontend file contents change.

Now, when you run terraform apply, Terraform detects changes to your HTML/CSS/JS, uploads them, and clears the CloudFront cache automatically. Magic!

Important Final Step

Terraform creates the secret automatically, but with a placeholder value.

You must replace:

REPLACE_ME_IN_AWS_CONSOLE

with your real Gemini API key in AWS Secrets Manager.

Without this, caption generation will fail.

The Frontend

The frontend is intentionally over-the-top.

Features include:

• Thick black borders
• Bright accent colors
• Heavy drop shadows
• Smooth hover animations
• Mobile responsiveness
• Dependency-free JavaScript

It gives the project personality instead of feeling like another generic AWS dashboard clone.

The Result?

Why This Project Is Great for Learning

This single project teaches:

• Serverless architecture
• Event-driven design
• AI integration
• Infrastructure as Code
• Presigned URL workflows
• CloudFront security best practices
• Image processing in Lambda

It’s also an excellent portfolio project because it combines:

• Frontend
• Backend
• AI
• Cloud Engineering

into one deployable application.

Tearing Down the Infrastructure

Cleaning Up Serverless is cheap, but leaving resources lying around is bad practice. To tear down the entire project, simply run:

terraform destroy -auto-approve

Pro-Tip: By default, Terraform will refuse to delete an S3 bucket that has objects inside it. To make teardown seamless, we added force_destroy = true to our S3 bucket configurations in Terraform, allowing it to wipe the buckets clean automatically during destruction.

Potential Improvements

Here are some ideas for taking it further:

1. Add User Authentication

2. Generate Multiple Meme Styles

3. Add Queueing

4. Store Meme History

5. Add Social Sharing

Final Thoughts

This project turned out to be one of the most fun serverless builds I’ve worked on.

It combines:

• AI
• Serverless
• Image processing
• Modern frontend design
• Infrastructure automation

into something genuinely entertaining.

However, there are rough edges. The Gemini API key setup requires a manual console step that breaks the “one command deploy” story slightly.

While we completely automated the frontend upload and cache invalidation via Terraform, pasting in the API Gateway URL into the index.html is the kind of thing you'd want to automate in a more polished version (perhaps using Terraform's templatefile function).

And at the end of it, you have a meme generator. Which is its own reward.

If you’re learning AWS serverless architecture, this is the kind of project that teaches real-world patterns while still being fun enough to actually finish.

Happy meme generating!!! :D

As someone who uses AWS on a daily basis, keeping up with AWS announcements feels like drinking from a firehose. The “What’s New” feed updates dozens of times a day. I didn’t want to subscribe to another newsletter; I wanted an executive assistant who could read the feed, filter out what I’ve already seen, and send me a concise summary of the things that matter.

In this guide, I’ll show you how to build The AI Cloud Curator , a fully automated, serverless system that scrapes AWS news, summarizes it using Amazon Bedrock (Claude 3 Haiku), and delivers it to your inbox.

I will build this using Infrastructure as Code (Terraform), while keeping your credentials safe.

The Architecture

We are going 100% Serverless. This ensures the project is low-maintenance and fits almost entirely within the AWS Free Tier or with very low cost in case you don’t have Free Tier.

1. EventBridge Scheduler: Triggers the workflow every morning at 8:00 AM.
2. AWS Lambda (Python): It fetches the RSS feed and orchestrates the logic.
3. Amazon DynamoDB: Acts as the memory state. It stores the IDs of articles we’ve already processed so we don’t get duplicate emails.
4. Amazon Bedrock (Claude 3 Haiku): It reads the technical announcement and rewrites it into a 2-sentence executive summary.
5. Amazon SNS: The delivery service that pushes the email to your inbox.

Part 1: Prerequisites & Setup

Before writing code, we need to set the stage.

1. AWS CLI & Credentials

If you haven’t already, install the AWS CLI and configure it with a user that has Admin permissions.

aws configure

• AWS Access Key ID: [Enter your key]
• AWS Secret Access Key: [Enter your secret]
• Default region name: us-east-1 (We will use us-east-1 as it has the widest Bedrock model availability).

2. Install Terraform

We will use Terraform to deploy our infrastructure. Download and install it from HashiCorp’s website.

Verify it works:

terraform -version

3. Enable Amazon Bedrock Models

This is a critical step. By default, you do not have access to Bedrock models.

• Log in to the AWS Console and search for Amazon Bedrock.
• In the left sidebar, scroll down to Model access.
• Click the orange Modify model access button.
• Check the box for Anthropic -> Claude 3 Haiku.
• Fill the case and Submit. Access is usually granted instantly.

Part 2: The Project Structure

Create a new folder for your project. Good organization is key to clean code.

mkdir ai-cloud-curator
cd ai-cloud-curator
mkdir src

Create three empty files to start:

• src/index.py (The Python application logic)
• main.tf (The Infrastructure definition)
• terraform.tfvars (Your secret configuration variables)

Part 3: The Application Logic (Python)

Open src/index.py. We are using Python’s standard libraries (urllib, xml) to avoid the complexity of managing external pip dependencies and Lambda Layers.

import boto3
import json
import os
import urllib.request
import xml.etree.ElementTree as ET
from datetime import datetime

# Initialize clients
bedrock = boto3.client(service_name='bedrock-runtime', region_name=os.environ['BEDROCK_REGION'])
dynamodb = boto3.resource('dynamodb')
sns = boto3.client('sns')
TABLE_NAME = os.environ['TABLE_NAME']
SNS_TOPIC_ARN = os.environ['SNS_TOPIC_ARN']
RSS_URL = "https://aws.amazon.com/about-aws/whats-new/recent/feed/"
def lambda_handler(event, context):
    print("Fetching AWS RSS Feed...")
    
    # 1. Fetch RSS Feed
    try:
        with urllib.request.urlopen(RSS_URL) as response:
            rss_data = response.read()
    except Exception as e:
        print(f"Error fetching RSS: {e}")
        return
        
    root = ET.fromstring(rss_data)
    # AWS feed items are usually standard RSS item tags
    items = root.findall(".//item")
    
    # Process only the top 3 newest items to save cost/time per run
    processed_count = 0
    table = dynamodb.Table(TABLE_NAME)
    
    for item in items[:3]:
        title = item.find("title").text
        link = item.find("link").text
        guid = item.find("guid").text
        description = item.find("description").text
        
        # 2. Check Deduplication (DynamoDB)
        response = table.get_item(Key={'article_id': guid})
        if 'Item' in response:
            print(f"Skipping existing article: {title}")
            continue
            
        print(f"Processing new article: {title}")
        
        # 3. Summarize with Bedrock (Claude 3 Haiku)
        summary = generate_summary(title, description)
        
        # 4. Send Notification
        message = f"☁️ **AWS New Announcement**\n\n**{title}**\n\n{summary}\n\nRead more: {link}"
        sns.publish(
            TopicArn=SNS_TOPIC_ARN,
            Message=message,
            Subject=f"AWS News: {title[:50]}..."
        )
        
        # 5. Save to DynamoDB
        table.put_item(
            Item={
                'article_id': guid,
                'processed_at': str(datetime.now()),
                'title': title
            }
        )
        processed_count += 1
        
    return {
        'statusCode': 200,
        'body': json.dumps(f'Processed {processed_count} new articles.')
    }
def generate_summary(title, text):
    prompt = f"""
    You are a Cloud Architect assistant. Summarize this AWS announcement in 2 clear sentences. Focus on the value prop and technical benefit.
    
    Title: {title}
    Content: {text}
    """
    
    body = json.dumps({
        "anthropic_version": "bedrock-2023-05-31",
        "max_tokens": 150,
        "messages": [
            {"role": "user", "content": prompt}
        ]
    })
    
    try:
        response = bedrock.invoke_model(
            modelId="anthropic.claude-3-haiku-20240307-v1:0",
            body=body
        )
        response_body = json.loads(response.get("body").read())
        return response_body["content"][0]["text"]
    except Exception as e:
        print(f"Bedrock Error: {e}")
        return "Summary unavailable."

Part 4: Infrastructure as Code (Terraform)

Open main.tf. This configuration sets up everything: IAM permissions, the database, and the scheduler.

Note: Notice I am not hardcoding the email address here. We define it as a sensitive variable.

provider "aws" {
  region = "us-east-1"
}

# --- Variables ---
variable "email_address" {
  description = "The email to receive notifications"
  type        = string
  sensitive   = true 
}
# --- 1. DynamoDB for Deduplication ---
resource "aws_dynamodb_table" "news_tracker" {
  name           = "aws-news-tracker"
  billing_mode   = "PAY_PER_REQUEST"
  hash_key       = "article_id"
  attribute {
    name = "article_id"
    type = "S"
  }
}
# --- 2. SNS Topic for Email ---
resource "aws_sns_topic" "daily_briefing" {
  name = "aws-daily-briefing"
}
resource "aws_sns_topic_subscription" "email_sub" {
  topic_arn = aws_sns_topic.daily_briefing.arn
  protocol  = "email"
  endpoint  = var.email_address
}
# --- 3. IAM Role & Permissions ---
resource "aws_iam_role" "lambda_role" {
  name = "ai_curator_role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = { Service = "lambda.amazonaws.com" }
    }]
  })
}
resource "aws_iam_role_policy" "lambda_policy" {
  name = "ai_curator_policy"
  role = aws_iam_role.lambda_role.id
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow",
        Action = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"],
        Resource = "arn:aws:logs:*:*:*"
      },
      {
        Effect = "Allow",
        Action = ["dynamodb:GetItem", "dynamodb:PutItem"],
        Resource = aws_dynamodb_table.news_tracker.arn
      },
      {
        Effect = "Allow",
        Action = "sns:Publish",
        Resource = aws_sns_topic.daily_briefing.arn
      },
      {
        Effect = "Allow",
        Action = "bedrock:InvokeModel",
        Resource = "arn:aws:bedrock:*:*:foundation-model/anthropic.claude-3-haiku-20240307-v1:0"
      }
    ]
  })
}
# --- 4. The Lambda Function ---
data "archive_file" "lambda_zip" {
  type        = "zip"
  source_file = "${path.module}/src/index.py"
  output_path = "${path.module}/lambda_function.zip"
}
resource "aws_lambda_function" "curator_lambda" {
  filename      = data.archive_file.lambda_zip.output_path
  function_name = "ai-cloud-curator"
  role          = aws_iam_role.lambda_role.arn
  handler       = "index.lambda_handler"
  runtime       = "python3.9"
  timeout       = 30 
  source_code_hash = data.archive_file.lambda_zip.output_base64sha256
  environment {
    variables = {
      TABLE_NAME     = aws_dynamodb_table.news_tracker.name
      SNS_TOPIC_ARN  = aws_sns_topic.daily_briefing.arn
      BEDROCK_REGION = "us-east-1"
    }
  }
}
# --- 5. EventBridge Scheduler (Runs daily at 8 AM UTC) ---
resource "aws_cloudwatch_event_rule" "daily_trigger" {
  name                = "daily-news-trigger"
  schedule_expression = "cron(0 8 * * ? *)"
}
resource "aws_cloudwatch_event_target" "lambda_target" {
  rule      = aws_cloudwatch_event_rule.daily_trigger.name
  target_id = "SendToLambda"
  arn       = aws_lambda_function.curator_lambda.arn
}
resource "aws_lambda_permission" "allow_eventbridge" {
  statement_id  = "AllowExecutionFromEventBridge"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.curator_lambda.function_name
  principal     = "events.amazonaws.com"
  source_arn    = aws_cloudwatch_event_rule.daily_trigger.arn
}

Part 5: Security & Deployment

1. Configure Secrets

Instead of putting your email in the code (which might end up on GitHub!), we use a terraform.tfvars file.

Open terraform.tfvars and add:

email_address = "your-actual-email@gmail.com"

Tip: If you are pushing this to GitHub, create a .gitignore file and add terraform.tfvars to it. This prevents your email from being exposed publicly.

2. Deploy

Run the following commands in your terminal:

# Initialize Terraform
terraform init

# Plan the deployment (Check for errors)
terraform plan

# Deploy the resources
terraform apply

Type yes when prompted.

3. Confirm Subscription

Wait a moment, then check your email inbox. You will receive an email from “AWS Notifications.” You must click the ‘Confirm subscription’ link inside that email. If you don’t, the system cannot send you summaries.

Part 6: Testing & Validation

You don’t have to wait for 8:00 AM tomorrow to see if it works. Let’s force a run now.

You can do this via the AWS Console (Lambda -> Test), or via the CLI:

aws lambda invoke --function-name ai-cloud-curator response.json

The Result:

• The script will fetch the RSS feed.
• It will summarize the latest 3 articles.
• Check your inbox: You should receive 3 new emails.
• Idempotency Test: Run the command again. You should receive 0 emails. This confirms that DynamoDB is successfully tracking which articles you’ve already seen.

Critical Note: You may get an error like this “An error occurred (AccessDeniedException) when calling the InvokeModel operation: Model access is denied due to IAM user or service role is not authorized to perform the required AWS Marketplace actions (aws-marketplace:ViewSubscriptions, aws-marketplace:Subscribe) to enable access to this model.” when trying to call the Claude Model.

Confirm that you have subscribed and then try testing again.

Note: By default, AWS EventBridge schedules run in UTC (Coordinated Universal Time), not your local time so do configure for your local time.

Part 7: Cost Analysis

Is this expensive? No, not really.

• The total cost should be around~$0.03 - $0.10 USD per month. Although, this can vary depending upon your usage, so do set up a billings alarm for just in case!

Part 8: Cleanup (Destroy)

If you want to tear down the project to ensure no future costs or clutter in your AWS account, Terraform makes this easy.

Run:

terraform destroy

Type yes. This will remove the Lambda, the IAM roles, the SNS topic, and the DynamoDB table.

Conclusion

By combining Terraform, Serverless, and Generative AI, we’ve built a practical tool that solves a real problem (okay, maybe not that real, but still). This project demonstrates how easy it is to integrate powerful AI models like Claude 3 into standard AWS workflows using Bedrock.

The scariest part of learning AWS isn’t the steep learning curve, or the vast amount of services. It’s the surprise bill at the end of the month.

By now we all have probably heard about the horror stories or seen on LinkedIn (as posts that say something like: “Unexpected AWS Costs” or “The Hidden Costs of AWS” and so on… :D), where a user leaves a high-performance EC2 instance running over the weekend, or a loop in a Lambda function triggers millions of requests. Suddenly, a $5 hobby project turns into a $500 debt.

As cloud engineers, we often focus heavily on DevOps (deployment and operations) but neglect FinOps (financial operations). In this guide, I will show you how to use Terraform to build an automated budget watchdog that alerts you the moment your spending trends in the wrong direction.

The Goal

We are going to build a reusable Terraform module that deploys:

1. An AWS Budget to monitor monthly spending.
2. An SNS Topic to handle alert notifications.
3. Dual-Trigger Alerts: One for actual spend and one for forecasted spend.

Step 0: Prerequisites

Before writing a single line of Terraform, we need to set up a secure environment. Running Terraform with your root account or “AdministratorAccess” is a security anti-pattern. We will follow the Principle of Least Privilege.

1. Create a “Terraform User”

Instead of giving our bot the keys to the kingdom, we will create a dedicated IAM user (terraform-finops-bot) with permission only to manage the services of Budgets and SNS.

1. Log in to the AWS Console and go to IAM -> Users -> Create user.
2. Name: terraform-finops-bot
3. Select Attach policies directly -> Create policy -> JSON.
4. Paste the following policy. This JSON grants only the exact permissions needed to deploy and manage our specific resources (including reading tags, which Terraform requires):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ManageBudgets",
            "Effect": "Allow",
            "Action": [
                "budgets:ViewBudget",
                "budgets:ModifyBudget",
                "budgets:ListTagsForResource",
                "budgets:TagResource",
                "budgets:UntagResource"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ManageSNS",
            "Effect": "Allow",
            "Action": [
                "sns:CreateTopic",
                "sns:SetTopicAttributes",
                "sns:GetTopicAttributes",
                "sns:ListTopics",
                "sns:DeleteTopic",
                "sns:Subscribe",
                "sns:Unsubscribe",
                "sns:GetSubscriptionAttributes",
                "sns:ListTagsForResource",
                "sns:TagResource",
                "sns:UntagResource"
            ],
            "Resource": "*"
        }
    ]
}

2. Configure AWS CLI (No Hardcoded Keys!)

Never paste your access keys into your Terraform files. If you commit them to GitHub, bots will find them in seconds. Instead, use the AWS CLI to store them locally.

Run this in your terminal:

aws configure --profile finops-project

Paste your new user’s Access Key ID and Secret Access Key when prompted.

Step 1: Project Structure

Organizing your Infrastructure as Code is just as important as writing it. Here is the folder structure we will use:

aws-finops-budget/
├── main.tf           # Provider configuration
├── variables.tf      # Input variables (email, budget limit)
├── sns.tf            # Notification infrastructure
├── budget.tf         # The budget logic and thresholds
├── .gitignore        # Exclude .terraform and .tfstate

Version Control Note: Even though this guide focuses on running Terraform locally and doesn’t explicitly require pushing to GitHub, I have included a .gitignore file.

This is a critical safety habit. It ensures that if you do decide to initialize a Git repository later, you won't accidentally commit sensitive local files (like terraform.tfstate or .tfvars) to the public internet.

Step 2: The Infrastructure as Code

1. Provider Configuration (main.tf)

We configure Terraform to use the secure profile we created in Step 0.

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region  = var.aws_region
  profile = "finops-project"
}

2. Variables (variables.tf)

Here, the email is marked as sensitive so it doesn't show up in plain text in our logs.

variable "aws_region" {
  description = "AWS Region to deploy resources"
  type        = string
  default     = "us-east-1"
}
variable "billing_email" {
  description = "The email address to receive budget alerts"
  type        = string
  sensitive   = true 
}
variable "budget_limit" {
  description = "The monthly budget limit in USD"
  type        = string
  default     = "10"
}

3. The Communication Channel (sns.tf)

We create an SNS topic and, an access policy that allows the AWS Budgets service to publish to it.

resource "aws_sns_topic" "billing_alerts" {
  name = "aws-billing-alerts-topic"
}
resource "aws_sns_topic_policy" "default" {
  arn = aws_sns_topic.billing_alerts.arn
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "AWSBudgets-notification-permissions"
        Effect = "Allow"
        Principal = {
          Service = "budgets.amazonaws.com"
        }
        Action   = "SNS:Publish"
        Resource = aws_sns_topic.billing_alerts.arn
      }
    ]
  })
}
resource "aws_sns_topic_subscription" "email_target" {
  topic_arn = aws_sns_topic.billing_alerts.arn
  protocol  = "email"
  endpoint  = var.billing_email
}

4. The Budget Logic (budget.tf)

This is the core of our FinOps solution. We set up two alerts:

• Actual Spend: Warns when we hit 80% of the budget.
• Forecasted Spend: Warns if AWS predicts we will exceed the budget based on current usage trends.

resource "aws_budgets_budget" "monthly_cost" {
  name              = "monthly-cloud-budget"
  budget_type       = "COST"
  limit_amount      = var.budget_limit
  limit_unit        = "USD"
  time_unit         = "MONTHLY"
  time_period_start = "2024-01-01_00:00"

# Alert 1: Actual Spend > 80%
  notification {
    comparison_operator        = "GREATER_THAN"
    threshold                  = 80
    threshold_type             = "PERCENTAGE"
    notification_type          = "ACTUAL"
    subscriber_sns_topic_arns  = [aws_sns_topic.billing_alerts.arn]
  }
  # Alert 2: Forecasted Spend > 100%
  notification {
    comparison_operator        = "GREATER_THAN"
    threshold                  = 100
    threshold_type             = "PERCENTAGE"
    notification_type          = "FORECASTED"
    subscriber_sns_topic_arns  = [aws_sns_topic.billing_alerts.arn]
  }
}

Step 3: Deployment

To deploy this, run the standard Terraform lifecycle commands in your terminal. Here, the email variable is passed via the command line to keep it out of our code.

terraform init
terraform plan -var="billing_email=your_email@example.com"
terraform apply -var="billing_email=your_email@example.com"

The “Don’t Skip This!” Step

After terraform apply completes, Terraform has created the subscription request, but AWS will not send emails without permission.

• Go to your email inbox.
• Find the email from “AWS Notifications.”
• Click the Confirm subscription link.

If you skip this, the budget will trigger alerts, but you will never receive them.

Step 4: Verification

AWS billing data updates every 8–24 hours, so you likely won’t see a budget alert immediately. However, you should test the system to ensure the SNS topic is working.

• Go to the AWS Console -> Simple Notification Service (SNS).
• Select aws-billing-alerts-topic -> Publish message.
• Enter a test subject and body, then click Publish.
• Check your inbox. If the email arrives, your alert pipeline is live!

Tip: To verify the budget logic, you can update your budget_limit variable to 0.01 and run terraform apply again. By the next day, you should receive a genuine alarm from AWS stating you have exceeded your $0.01 budget.

Step 5: Clean Up (Destroy)

If this was just a lab experiment and you want to remove the resources to ensure zero costs, Terraform makes cleanup easy.

Run the destroy command:

terraform destroy -var="billing_email=your_email@example.com"

Terraform will list the resources it is about to delete (the Budget, the SNS Topic, and the Policy). Type yes to confirm.

Note: This command removes the infrastructure resources. It does not delete the IAM user (terraform-finops-bot) we created in Step 0. Since that user doesn't cost money, you can keep it for your next Terraform project, or manually delete it in the IAM Console if you want a completely clean slate.

Conclusion

By automating this setup with Terraform, you can include this module in every new environment you spin up. It takes about a minute or so to deploy, follows security best practices (least privilege, no hardcoded secrets), and provides peace of mind that lasts forever.

Also pray you never accidentally commit them or that they don’t leak! :D

So, we are going to build a static site pipeline with security in mind.

We are going to use:

1. Terraform for Infrastructure as Code (IaC).
2. AWS OIDC (OpenID Connect) so GitHub can deploy without us ever creating a long-term Access Key.
3. CloudFront Origin Access Control (OAC) to ensure our S3 bucket is totally private (no public access needed!).

Let’s build this right.

The Prerequisites

Before we dive in, make sure you have:

• An AWS Account (Use IAM user, not the root account).
• Terraform and AWS CLI installed on your machine.
• A GitHub Account.

Step 1: The Project Structure

Organization is key. We’re going to keep our infrastructure logic separate from our application code.

Create a folder named my-secure-site and set up the following structure:

my-secure-site/
├── src/                        # Your website goes here
│   └── index.html
├── .github/
│   └── workflows/
│       └── deploy.yml          # The pipeline configuration
├── terraform/                  # Infrastructure configuration
│   ├── main.tf
│   ├── variables.tf
│   ├── s3.tf
│   ├── cloudfront.tf
│   ├── iam.tf
│   └── outputs.tf
└── .gitignore

Crucial: Create the .gitignore file immediately to prevent committing secrets or state files.

Add the below to the .gitignore file:

.terraform/
*.tfstate
*.tfstate.*
*.tfvars
.DS_Store

Step 2: Initialize Git & Set Up the Repository

Before we write the infrastructure code, let’s get our version control ready.

• Create a Repository on GitHub:
• Go to GitHub.com and create a new repository (e.g., my-secure-site).
• Do not initialize it with a README or gitignore (we have those locally).
• Initialize Locally: Open your terminal in your project folder and run:

# Initialize Git
git init

# Create the main branch
git branch -M main

# Add your files (Create a dummy index.html first if you haven't)
echo "<h1>Hello World</h1>" > src/index.html
git add .

# First commit
git commit -m "initial commit"

# Link to your GitHub repo (Replace USERNAME and REPO with your own)
git remote add origin https://github.com/USERNAME/my-secure-site.git

# Push to GitHub
git push -u origin main

Now your code is safe in GitHub, and we are ready to build the infrastructure that will deploy it.

Step 3: The Infrastructure (Terraform)

Let’s write the IaC. You can copy-paste as well as understand the security logic below.

a. terraform/main.tf

This sets up the provider. We also fetch the GitHub certificate thumbprint dynamically here, so we don’t have to hardcode the numbers.

Terraform:

provider "aws" {
  region = var.aws_region
}

# Dynamically fetch the GitHub Actions certificate
data "tls_certificate" "github" {
  url = "https://token.actions.githubusercontent.com/.well-known/openid-configuration"
}
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

b. Lets now make, terraform/s3.tf .Here we are blocking all public access. We only want CloudFront to see our files, not the whole internet directly.

Terraform:

resource "aws_s3_bucket" "site_bucket" {
  bucket_prefix = "${var.project_name}-"
  force_destroy = true # Good for learning, remove for prod!
}

# 1. Block ALL public access
resource "aws_s3_bucket_public_access_block" "site_bucket_block" {
  bucket = aws_s3_bucket.site_bucket.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}
# 2. Encrypt it
resource "aws_s3_bucket_server_side_encryption_configuration" "enc" {
  bucket = aws_s3_bucket.site_bucket.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}
# 3. Policy: Allow ONLY CloudFront
resource "aws_s3_bucket_policy" "site_bucket_policy" {
  bucket = aws_s3_bucket.site_bucket.id
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid       = "AllowCloudFront"
        Effect    = "Allow"
        Principal = { Service = "cloudfront.amazonaws.com" }
        Action    = "s3:GetObject"
        Resource  = "${aws_s3_bucket.site_bucket.arn}/*"
        Condition = {
          StringEquals = {
            "AWS:SourceArn" = aws_cloudfront_distribution.site_distribution.arn
          }
        }
      }
    ]
  })
}

c. terraform/cloudfront.tf. We use Origin Access Control (OAC) here. It’s the modern, secure replacement for the old OAI method.

Terraform:

resource "aws_cloudfront_origin_access_control" "site_oac" {
  name                              = "${var.project_name}-oac"
  description                       = "OAC for static site"
  origin_access_control_origin_type = "s3"
  signing_behavior                  = "always"
  signing_protocol                  = "sigv4"
}
resource "aws_cloudfront_distribution" "site_distribution" {
  enabled             = true
  is_ipv6_enabled     = true
  default_root_object = "index.html"
  origin {
    domain_name              = aws_s3_bucket.site_bucket.bucket_regional_domain_name
    origin_id                = "S3-${aws_s3_bucket.site_bucket.id}"
    origin_access_control_id = aws_cloudfront_origin_access_control.site_oac.id
  }
  default_cache_behavior {
    allowed_methods  = ["GET", "HEAD"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = "S3-${aws_s3_bucket.site_bucket.id}"
    cache_policy_id  = "658327ea-f89d-4fab-a63d-7e88639e58f6" # Managed-CachingOptimized
    viewer_protocol_policy = "redirect-to-https"
  }
  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }
  viewer_certificate {
    cloudfront_default_certificate = true
  }
}

d. terraform/iam.tf. Here we create an OIDC Provider that trusts GitHub. Then, we create a role that trusts your specific repository.

Terraform:

# Create the link between AWS and GitHub
resource "aws_iam_openid_connect_provider" "github" {
  url             = "https://token.actions.githubusercontent.com"
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = [data.tls_certificate.github.certificates[0].sha1_fingerprint]
}
# The Role GitHub will "assume"
resource "aws_iam_role" "github_actions_role" {
  name = "${var.project_name}-github-role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRoleWithWebIdentity"
        Effect = "Allow"
        Principal = {
          Federated = aws_iam_openid_connect_provider.github.arn
        }
        Condition = {
          StringEquals = {
            # Only allow YOUR repository to assume this role
            "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com",
            "token.actions.githubusercontent.com:sub" = "repo:${var.github_repo}:ref:refs/heads/main"
          }
        }
      }
    ]
  })
}
# Permissions: Upload to S3 and Invalidate CloudFront
resource "aws_iam_role_policy" "github_actions_policy" {
  name = "${var.project_name}-policy"
  role = aws_iam_role.github_actions_role.id
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action   = ["s3:PutObject", "s3:ListBucket", "s3:DeleteObject"]
        Effect   = "Allow"
        Resource = [aws_s3_bucket.site_bucket.arn, "${aws_s3_bucket.site_bucket.arn}/*"]
      },
      {
        Action   = "cloudfront:CreateInvalidation"
        Effect   = "Allow"
        Resource = aws_cloudfront_distribution.site_distribution.arn
      }
    ]
  })
}

The Supporting Files

a. Now lets create, terraform/variables.tf

Terraform:

variable "aws_region" { default = "us-east-1" }
variable "project_name" { default = "my-secure-site" }
variable "github_repo" { 
  description = "Format: organization/repo" 
  type = string 
}

b. Then create, terraform/outputs.tf

These are the values we will need for GitHub.

Terraform:

output "role_arn" { value = aws_iam_role.github_actions_role.arn }
output "s3_bucket" { value = aws_s3_bucket.site_bucket.id }
output "cloudfront_id" { value = aws_cloudfront_distribution.site_distribution.id }
output "website_url" { value = aws_cloudfront_distribution.site_distribution.domain_name }

Step 4: Apply the Infrastructure

Head to your terminal. It’s time to build.

• Initialize Terraform:

cd terraform 
terraform init

• Apply: Replace the value below with your actual GitHub username and repo name.

terraform apply -var="github_repo=USERNAME/my-secure-site"

Note: If you get an “EntityAlreadyExists” error for the OIDC provider, it means you’ve connected GitHub to this AWS account before.

Just run terraform import aws_iam_openid_connect_provider.github arn:aws:iam::<YOUR_ACCOUNT_ID>:oidc-provider/token.actions.githubusercontent.com and apply again.

• Wait as CloudFront takes a few minutes (around 5 mins) to create.
• Outputs will be generated. When it finishes, Terraform will print the role_arn, s3_bucket, and cloudfront_id. Copy those values as we will need them later.

Step 5: GitHub Actions

Go to your GitHub Repository > Settings > Secrets and variables > Actions > Repository secrets > New repository secret.

Add these Repository Secrets:

• AWS_ROLE_ARN: (Paste the role_arn from Terraform output)
• AWS_S3_BUCKET: (Paste the s3_bucket)
• CLOUDFRONT_DISTRIBUTION_ID: (Paste the cloudfront distribution id, example: EDFDVBD632BHDS5)
• AWS_REGION: us-east-1

Now, create the workflow file .github/workflows/deploy.yml:

name: Deploy Static Site

on:
  push:
    branches:
      - main
permissions:
  id-token: write   
  contents: read
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v4
     
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
          aws-region: ${{ secrets.AWS_REGION }}
      - name: Sync files to S3
        run: |
          aws s3 sync ./src s3://${{ secrets.AWS_S3_BUCKET }} --delete
      - name: Invalidate CloudFront Cache
        run: |
          aws cloudfront create-invalidation \
            --distribution-id ${{ secrets.CLOUDFRONT_DISTRIBUTION_ID }} \
            --paths "/*"

The Moment of Truth

• Add the new Terraform files and Workflow file to git:

cd .. # Go back to root
git add .
git commit -m "Add infrastructure and CI/CD"
git push origin main

• Head over to the Actions tab in GitHub. You’ll see your workflow start.
• GitHub asks AWS: “Hey, I’m USERNAME/my-secure-site. Can I be the github-role?"
• AWS checks the OIDC trust policy.
• AWS hands back a temporary token.
• GitHub syncs your HTML to S3 and invalidates the cache.

Boom! Your site is live!

Do some changes to your index.html file like adding another line. Then,

git add .
git commit -m "updated site"
git push origin main

The changes should be deployed through GitHub Actions and reflected in the browser soon.

Step 6: Teardown

When you are done testing or showcasing your project, you should destroy the infrastructure to avoid unexpected AWS bills. Because we used Terraform, we can nuke everything with a single command.

a. Destroying your infra

Go to your terraform/ folder in the terminal and run:

terraform destroy -var="github_repo=USERNAME/my-secure-site"

Replace the repo username with your own!

Terraform will list every resource it is about to delete (The S3 bucket, the CloudFront Distribution, the IAM Roles, etc.).

Type yes when prompted.

Note:

Usually, Terraform fails to delete an S3 bucket if it contains files (to prevent you from accidentally deleting data).

However, in our s3.tf file, we included this line:

force_destroy = true

This tells Terraform to delete the bucket even if it has files in it. This is perfect for test projects, but be careful using this setting in real production environments!

b. Cleanup GitHub (Optional)

The infrastructure is gone, but your GitHub repo settings remain. If you want a clean slate:

• Go to Settings > Secrets and variables > Actions.
• Delete the 4 repository secrets (AWS_ROLE_ARN, etc.).
• Delete the .terraform folder locally if you plan to start over completely.

Tip: If you ever want to bring the site back online, just run terraform apply again.

The new Output values will be generated, you update the GitHub Secrets, and your site is live again in minutes!

Conclusion

We just built a pipeline that is:

• Secure: No long-lived credentials to steal.
• Private: The S3 bucket is locked down; only CloudFront can access it.
• Automated: Just push code to deploy.

In the challenge, people usually make showcase their site/portfolio using the popular cloud service provider (i.e. AWS, Azure, GCP) using various core services of the respective cloud service provider. In the step-by-step guide, we are going to do the challenge in the AWS Cloud.

But we aren’t just going to click around in the AWS Console until it works. We are going to build this using Terraform.

Why Terraform?

Writing Infrastructure as Code (IaC) is how you prove you know the how.

IaC allows you to provision and manage infrastructure through code rather than manual processes, making your build reproducible, versionable, and less prone to human error. Learn more about Terraform here.

(Plus clicking buttons in the console can get tiring pretty fast) :D

We are sticking to two rules:

1. Security: No public S3 buckets. We lock everything down.
2. Budget Friendly: We are using the cheapest (or free) options available.

Disclaimer: Even though I am doing this as cheaply as possible, there may still be unexpected cost, so do keep an eye on your AWS Billing Dashboard. Also, always set up an AWS Budget alert before you begin.

Prerequisites

• An AWS Account (Root user secured with MFA!).
• An IAM Admin User (Don’t use Root for this!).
• Terraform installed on your laptop.
• AWS CLI installed and configured (aws configure).

📂Project Directory Tree:

cloud-resume-challenge/
├── 00-bootstrap/
│   └── main.tf               # Creates the S3 Bucket & DynamoDB for State Locking
│
└── 01-resume-infra/
    ├── backend.tf            # API Gateway, DynamoDB, Lambda, IAM Roles
    ├── main.tf               # S3 Website Bucket, CloudFront, OAC, Bucket Policy
    ├── providers.tf          # AWS Provider & Backend Configuration
    ├── index.html            # Your Resume HTML
    └── lambda/
        └── func.py           # Python script to update visitor count

Part 1: Bootstrap

Terraform keeps a record of everything it creates in a file called terraform.tfstate.

Bad practice: Keeping this file on your laptop (if you lose your laptop, you lose your infrastructure).

Good practice: Storing this file in the cloud (AWS S3) and locking it so two people can’t edit it at once (DynamoDB).

We need to create that S3 bucket before we can store the state in it. This is the “Bootstrap” phase.

1. Create the folder structure: Create a new folder for your project (let’s call it cloud-resume-challenge). Inside it, create two folders: 00-bootstrap and 01-resume-infra.

2. The Bootstrap Code: Create 00-bootstrap/main.tf and paste the code below.

• Critical: Change the bucket name to something unique (e.g., yourname-state-bucket-2025). Bucket names must be globally unique!

Below is the Terraform code:

provider "aws" {
  region = "us-east-1"
}

resource "aws_s3_bucket" "terraform_state" {
  bucket        = "my-terraform-state-bucket-nepal-34324951" #Change this to something unique!
  force_destroy = true 
}
resource "aws_s3_bucket_versioning" "enabled" {
  bucket = aws_s3_bucket.terraform_state.id
  versioning_configuration { status = "Enabled" }
}
resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
  bucket = aws_s3_bucket.terraform_state.id
  rule {
    apply_server_side_encryption_by_default { sse_algorithm = "AES256" }
  }
}
resource "aws_s3_bucket_public_access_block" "public_access" {
  bucket                  = aws_s3_bucket.terraform_state.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}
resource "aws_dynamodb_table" "terraform_locks" {
  name         = "terraform-locks"
  billing_mode = "PAY_PER_REQUEST"
  hash_key     = "LockID"
  attribute {
    name = "LockID"
    type = "S"
  }
}
output "s3_bucket_name" { value = aws_s3_bucket.terraform_state.id }
output "dynamodb_table_name" { value = aws_dynamodb_table.terraform_locks.name }

3. Deploy the Safe: Open your terminal in 00-bootstrap:

terraform init
terraform apply

• Type yes when asked.
• Write down the S3 bucket name that it outputs in a notepad. You need this for the next part.

Part 2: The Infrastructure

Now that we have a safe place to store our state, let’s build the resume/portfolio site. Move into the 01-resume-infra folder.

1. Configure the Provider:

Create 01-resume-infra/providers.tf. This tells Terraform “Hey, don’t save the state on my laptop; save it in that bucket we just made.”

Terraform:

terraform {
  required_providers {
    aws = { source = "hashicorp/aws", version = "~> 5.0" }
  }
  backend "s3" {
    bucket         = "my-terraform-state-bucket-nepal-34324951" #Same Bucket name from Part 1
    key            = "resume-project/terraform.tfstate"
    region         = "us-east-1"
    dynamodb_table = "terraform-locks"
    encrypt        = true
  }
}

provider "aws" { region = "us-east-1" }

2. The Frontend (S3 + CloudFront):

Create 01-resume-infra/main.tf.

We are not using “S3 Static Website Hosting” because that’s insecure (http only). We are using CloudFront to serve it securely via HTTPS.

Note: You can replace my-awesome-resume-site-2025 with a unique name.

Terraform:

# 1. The Bucket for the Website
resource "aws_s3_bucket" "resume_bucket" {
  bucket = "my-awesome-resume-site-2025"
  force_destroy = true
}

# 2. Block Public Access
resource "aws_s3_bucket_public_access_block" "resume_bucket_public" {
  bucket = aws_s3_bucket.resume_bucket.id

block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

# 3. Add an index.html file
resource "aws_s3_object" "index" {
  bucket       = aws_s3_bucket.resume_bucket.id
  key          = "index.html"
  content      = templatefile("${path.module}/index.html", {
    api_url = "${aws_apigatewayv2_api.http_api.api_endpoint}/count"
  })

content_type = "text/html"
  
etag         = md5(templatefile("${path.module}/index.html", {
    api_url = "${aws_apigatewayv2_api.http_api.api_endpoint}/count"
  }))
}

# 4. Origin Access Control (OAC)

resource "aws_cloudfront_origin_access_control" "resume_oac" {
  name                              = "resume-oac"
  description                       = "OAC for Resume Website"
  origin_access_control_origin_type = "s3"
  signing_behavior                  = "always"
  signing_protocol                  = "sigv4"
}

# ---------------------------------------------------------
# 5. CLOUDFRONT DISTRIBUTION
# ---------------------------------------------------------

resource "aws_cloudfront_distribution" "s3_distribution" {
  origin {
    domain_name              = aws_s3_bucket.resume_bucket.bucket_regional_domain_name
    origin_id                = "my-s3-origin"
    origin_access_control_id = aws_cloudfront_origin_access_control.resume_oac.id
  }

enabled             = true
  is_ipv6_enabled     = true
  default_root_object = "index.html"

# SECURITY
  default_cache_behavior {
    allowed_methods  = ["GET", "HEAD"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = "my-s3-origin"

forwarded_values {
      query_string = false
      cookies {
        forward = "none"
      }
    }

viewer_protocol_policy = "redirect-to-https" 
    min_ttl                = 0
    default_ttl            = 3600
    max_ttl                = 86400
  }

price_class = "PriceClass_100"

restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

viewer_certificate {
    cloudfront_default_certificate = true
  }
}

# ---------------------------------------------------------
# 6. S3 BUCKET POLICY (THE BOUNCER)
# ---------------------------------------------------------

resource "aws_s3_bucket_policy" "allow_cloudfront" {
  bucket = aws_s3_bucket.resume_bucket.id
  policy = data.aws_iam_policy_document.allow_cloudfront.json
}

data "aws_iam_policy_document" "allow_cloudfront" {
  statement {
    sid    = "AllowCloudFrontServicePrincipal"
    effect = "Allow"
    actions = [
      "s3:GetObject"
    ]
    resources = [
      "${aws_s3_bucket.resume_bucket.arn}/*"
    ]

principals {
      type        = "Service"
      identifiers = ["cloudfront.amazonaws.com"]
    }

condition {
      test     = "StringEquals"
      variable = "AWS:SourceArn"
      values   = [aws_cloudfront_distribution.s3_distribution.arn]
    }
  }
}

# ---------------------------------------------------------
# 7. OUTPUTS
# ---------------------------------------------------------

output "website_url" {
  description = "The CloudFront URL to access your website"
  value       = "https://${aws_cloudfront_distribution.s3_distribution.domain_name}"
}

3. The Backend Logic (Python):

We need a script to count visitors.

• Create a folder 01-resume-infra/lambda.
• Inside it, create func.py.

Python

import json
import boto3
import os

# Initialize DynamoDB client
dynamodb = boto3.resource('dynamodb')
# "visitor_count" is the table name we will create in Terraform below
table = dynamodb.Table(os.environ['TABLE_NAME'])

def lambda_handler(event, context):
    try:
        response = table.update_item(
            Key={'id': 'count'},
            UpdateExpression="ADD visitors :inc",
            ExpressionAttributeValues={':inc': 1},
            ReturnValues="UPDATED_NEW"
        )
        
        visit_count = int(response['Attributes']['visitors'])
        
        return {
            'statusCode': 200,
            'headers': {
                'Content-Type': 'application/json',
                'Access-Control-Allow-Origin': os.environ['ALLOWED_ORIGIN']
            },
            'body': json.dumps({'count': visit_count})
        }
    except Exception as e:
        print(e)
        return {
            'statusCode': 500,
            'body': json.dumps('Error updating count')
        }

4. The Backend Infrastructure (API Gateway + DynamoDB):

Create 01-resume-infra/backend.tf. This sets up the database, the Lambda function, and the API Gateway URL.

Terraform:

resource "aws_dynamodb_table" "counter_table" {
  name         = "visitor_count"
  billing_mode = "PAY_PER_REQUEST"
  hash_key     = "id"

  attribute {
    name = "id"
    type = "S"
  }
}

data "archive_file" "lambda_zip" {
  type        = "zip"
  source_file = "${path.module}/lambda/func.py"
  output_path = "${path.module}/lambda/func.zip"
}

resource "aws_lambda_function" "visitor_counter" {
  filename         = data.archive_file.lambda_zip.output_path
  function_name    = "visitor_counter_func"
  role             = aws_iam_role.lambda_role.arn
  handler          = "func.lambda_handler"
  runtime          = "python3.9"
  source_code_hash = data.archive_file.lambda_zip.output_base64sha256

  environment {
    variables = {
      TABLE_NAME     = aws_dynamodb_table.counter_table.name
      ALLOWED_ORIGIN = "https://${aws_cloudfront_distribution.s3_distribution.domain_name}"
    }
  }
}

resource "aws_iam_role" "lambda_role" {
  name = "visitor_counter_role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = { Service = "lambda.amazonaws.com" }
    }]
  })
}

resource "aws_iam_policy" "lambda_policy" {
  name = "visitor_counter_policy"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Action = [
          "dynamodb:GetItem",
          "dynamodb:UpdateItem",
          "dynamodb:PutItem"
        ]
        Resource = aws_dynamodb_table.counter_table.arn
      },
      {
        Effect = "Allow"
        Action = [
          "logs:CreateLogGroup",
          "logs:CreateLogStream",
          "logs:PutLogEvents"
        ]
        Resource = "arn:aws:logs:*:*:*"
      }
    ]
  })
}

# Attach the policy to the role
resource "aws_iam_role_policy_attachment" "lambda_attach" {
  role       = aws_iam_role.lambda_role.name
  policy_arn = aws_iam_policy.lambda_policy.arn
}

resource "aws_apigatewayv2_api" "http_api" {
  name          = "visitor_counter_api"
  protocol_type = "HTTP"
  
  #Only allow your CloudFront domain to call this API
  cors_configuration {
    allow_origins = ["https://${aws_cloudfront_distribution.s3_distribution.domain_name}"] 
    allow_methods = ["POST", "GET"]
    allow_headers = ["content-type"]
    max_age       = 300
  }
}

resource "aws_apigatewayv2_stage" "default" {
  api_id      = aws_apigatewayv2_api.http_api.id
  name        = "$default"
  auto_deploy = true

  default_route_settings {
    throttling_burst_limit = 5
    throttling_rate_limit  = 10
  }
}

# Connect API to Lambda
resource "aws_apigatewayv2_integration" "lambda_integration" {
  api_id           = aws_apigatewayv2_api.http_api.id
  integration_type = "AWS_PROXY"
  integration_uri  = aws_lambda_function.visitor_counter.invoke_arn
}

resource "aws_apigatewayv2_route" "default_route" {
  api_id    = aws_apigatewayv2_api.http_api.id
  route_key = "POST /count" 
  target    = "integrations/${aws_apigatewayv2_integration.lambda_integration.id}"
}

# Permission for API Gateway to invoke Lambda
resource "aws_lambda_permission" "api_gw" {
  statement_id  = "AllowExecutionFromAPIGateway"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.visitor_counter.function_name
  principal     = "apigateway.amazonaws.com"
  source_arn    = "${aws_apigatewayv2_api.http_api.execution_arn}/*/*"
}

# Output the API URL
output "api_endpoint" {
  value = "${aws_apigatewayv2_api.http_api.api_endpoint}/count"
}

Part 3: The Code & Deploy

1. Create the HTML file

Create 01-resume-infra/index.html. Copy the code below.

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Cloud Engineer Portfolio</title>
    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
    <style>
        :root {
            --primary-color: #2c3e50; 
            --secondary-color: #3498db;
            --bg-light: #f4f7f6;
            --text-dark: #333;
            --text-light: #ecf0f1;
            --sidebar-width: 300px;
        }

        * {
            margin: 0;
            padding: 0;
            box-sizing: border-box;
        }

        body {
            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
            background-color: var(--bg-light);
            color: var(--text-dark);
            line-height: 1.6;
        }

        /* Main Layout */
        .container {
            display: flex;
            min-height: 100vh;
            max-width: 1200px;
            margin: 0 auto;
            background: #fff;
            box-shadow: 0 0 20px rgba(0,0,0,0.1);
        }

        /* Sidebar Styles */
        .sidebar {
            background-color: var(--primary-color);
            color: var(--text-light);
            width: var(--sidebar-width);
            padding: 30px;
            flex-shrink: 0;
            text-align: center;
        }

        .profile-img {
            width: 150px;
            height: 150px;
            background-color: #ddd; /* Placeholder gray */
            border-radius: 50%;
            border: 5px solid var(--secondary-color);
            margin: 0 auto 20px;
        }

        .sidebar h1 {
            font-size: 1.8rem;
            margin-bottom: 10px;
        }

        .sidebar h2 {
            font-size: 1.1rem;
            font-weight: 400;
            color: var(--secondary-color);
            margin-bottom: 30px;
        }

        .contact-info, .skills-list, .education-list {
            text-align: left;
            margin-bottom: 30px;
            list-style: none;
        }

        .sidebar-section-title {
            text-transform: uppercase;
            letter-spacing: 1px;
            margin-bottom: 15px;
            padding-bottom: 5px;
            border-bottom: 2px solid var(--secondary-color);
        }

        .contact-info li, .education-list li {
            margin-bottom: 15px;
            display: flex;
            align-items: center;
        }

        .contact-info i {
            margin-right: 10px;
            color: var(--secondary-color);
            width: 20px;
            text-align: center;
        }

        .contact-info a {
            color: var(--text-light);
            text-decoration: none;
            transition: color 0.3s;
        }

        .contact-info a:hover {
            color: var(--secondary-color);
        }

        /* Skill tags styles */
        .skill-tags {
            display: flex;
            flex-wrap: wrap;
            gap: 10px;
        }

        .skill-tag {
            background: rgba(255,255,255,0.1);
            padding: 5px 10px;
            border-radius: 5px;
            font-size: 0.9rem;
        }

        /* Main Content Styles */
        .main-content {
            flex-grow: 1;
            padding: 40px;
        }

        section {
            margin-bottom: 40px;
        }

        h3.section-title {
            color: var(--primary-color);
            font-size: 1.5rem;
            text-transform: uppercase;
            margin-bottom: 20px;
            padding-bottom: 10px;
            border-bottom: 2px solid #eee;
        }

        .resume-item {
            margin-bottom: 25px;
        }

        .resume-header {
            display: flex;
            justify-content: space-between;
            margin-bottom: 10px;
        }

        .resume-header h4 {
            font-size: 1.2rem;
            color: var(--primary-color);
        }

        .resume-header .date {
            color: var(--secondary-color);
            font-weight: bold;
            font-size: 0.9rem;
        }

        .resume-item ul {
            margin-left: 20px;
            list-style-type: square;
        }
        
        .project-tech-stack {
            font-size: 0.9em;
            color: #666;
            font-style: italic;
            margin-top: 5px;
        }

        /* Footer & Counter Styles */
        .footer {
            text-align: center;
            padding: 20px;
            background: #f9f9f9;
            border-top: 1px solid #eee;
            font-size: 0.9rem;
            color: #777;
        }

        .counter-container {
            display: inline-block;
            background: var(--primary-color);
            color: white;
            padding: 10px 20px;
            border-radius: 50px;
            margin-top: 10px;
            box-shadow: 0 4px 6px rgba(0,0,0,0.1);
        }

        .counter {
            font-weight: bold;
            font-size: 1.2em;
            color: var(--secondary-color);
            margin-left: 5px;
        }

        /* Responsive Design */
        @media (max-width: 768px) {
            .container {
                flex-direction: column;
                margin: 0;
            }
            .sidebar {
                width: 100%;
                padding: 40px 20px;
            }
            .main-content {
                padding: 30px 20px;
            }
            .resume-header {
                flex-direction: column;
            }
        }
    </style>
</head>
<body>

<div class="container">
    <aside class="sidebar">
        <div class="profile-img" title="Put your photo here"></div>
        <h1>[Your Name]</h1>
        <h2>Cloud/DevOps Engineer</h2>

        <h3 class="sidebar-section-title">Contact</h3>
        <ul class="contact-info">
            <li><i class="fas fa-envelope"></i> <a href="youremail@example.com">email@example.com</a></li>
            <li><i class="fab fa-linkedin"></i> <a href="#" target="_blank">LinkedIn Profile</a></li>
            <li><i class="fab fa-github"></i> <a href="#" target="_blank">GitHub Profile</a></li>
            <li><i class="fas fa-map-marker-alt"></i> City, Country</li>
        </ul>

        <h3 class="sidebar-section-title">Skills</h3>
        <div class="skill-tags">
            <span class="skill-tag">AWS</span>
            <span class="skill-tag">Terraform (IaC)</span>
            <span class="skill-tag">Python</span>
            <span class="skill-tag">CI/CD Pipelines</span>
            <span class="skill-tag">Docker</span>
            <span class="skill-tag">Linux Admin</span>
            <span class="skill-tag">Git</span>
        </div>

        <br>
        <h3 class="sidebar-section-title">Education & Certs</h3>
        <ul class="education-list">
            <li>
                <strong>AWS Certified Solutions Architect - Associate</strong><br>
                <small>2023</small>
            </li>
            <li>
                <strong>B.S. Computer Science</strong><br>
                <small>University Name, 2020</small>
            </li>
        </ul>
    </aside>

    <main class="main-content">
        <section>
            <h3 class="section-title">Summary</h3>
            <p>Highly motivated Cloud Engineer with a passion for automating infrastructure and building scalable serverless applications. Proven ability to design secure AWS environments using Infrastructure as Code (Terraform). Eager to leverage skills in a challenging DevOps role.</p>
        </section>

        <section>
            <h3 class="section-title">Projects</h3>
            
            <div class="resume-item">
                <div class="resume-header">
                    <h4>Serverless Cloud Resume Challenge</h4>
                    <span class="date">Current Month, 202X</span>
                </div>
                <ul>
                    <li>Designed and deployed a secure, serverless portfolio website on AWS.</li>
                    <li>Implemented 100% of the infrastructure using Terraform for reproducibility.</li>
                    <li>Utilized S3 for static hosting, CloudFront with OAC for secure HTTPS delivery, and Route53 for DNS.</li>
                    <li>Created a visitor counter backend using API Gateway, Lambda (Python), and DynamoDB with transactional updates.</li>
                    <li>Set up Github Actions for CI/CD automated deployment (Optional add-on).</li>
                </ul>
                <p class="project-tech-stack">Tech: AWS (S3, CloudFront, APIGW, Lambda, DynamoDB), Terraform, Python, HTML/CSS.</p>
            </div>

            <div class="resume-item">
                <div class="resume-header">
                    <h4>Another Sample Project</h4>
                    <span class="date">Jan 2023 - Mar 2023</span>
                </div>
                <ul>
                    <li>Developed a highly available three-tier web application architecture.</li>
                    <li>Automated EC2 instance provisioning using auto-scaling groups and application load balancers.</li>
                </ul>
            </div>
        </section>

        <section>
            <h3 class="section-title">Professional Experience</h3>
            
            <div class="resume-item">
                <div class="resume-header">
                    <h4>Junior Cloud Admin | Tech Company Inc.</h4>
                    <span class="date">2021 - Present</span>
                </div>
                <ul>
                    <li>Managed daily operations of AWS cloud infrastructure, ensuring 99.9% uptime.</li>
                    <li>Migrated on-premise legacy applications to AWS EC2 instances.</li>
                    <li>Assisted in implementing security best practices using IAM policies and security groups.</li>
                </ul>
            </div>
        </section>
    </main>
</div>

<footer class="footer">
    <p>Designed & Built by [Your Name] using AWS Serverless services.</p>
    <div class="counter-container">
        Visitor Count: <span id="counter" class="counter">Loading...</span>
    </div>
</footer>

<script>
    const apiUrl = "${api_url}"; 
    
    fetch(apiUrl, { method: 'POST' })
        .then(response => response.json())
        .then(data => {
            document.getElementById('counter').innerText = data.count;
        })
        .catch(error => {
            console.error('Error:', error);
            document.getElementById('counter').innerText = "Error";
        });
</script>

</body>
</html>

2. Deploy Everything

Open your terminal in 01-resume-infra and run:

terraform init
terraform apply

Type yes. Now, wait (CloudFront takes about 3-5 minutes to create).

What just happened?

Terraform calculated the dependency graph. It realized it needed to create the API Gateway first to get the URL. Then, it used the templatefile function to inject that URL into your HTML. Finally, it uploaded the specific HTML file to S3.

3. Test it!

Terraform will output a website_url. Click it.

You should see your site, and the visitor count (scroll to the end of the site to see it) should automatically update.

Now you should modify the site to actually look like a resume one as the above one is just a template.

Part 4: How to Tear It Down!

When you are done, or if you mess up and want to start over, you must destroy resources to avoid costs.

Follow This Order:

1. Go to 01-resume-infra and run terraform destroy. (Wait for CloudFront to delete).

2. Go to 00-bootstrap and run terraform destroy.

🎉Congratulations! You just built a serverless application using Infrastructure as Code. 👏

Are you looking for ways to host that static website but you don’t have much experience in AWS Cloud?

Well look no further, you have reached your destination! Here we will learn how to securely host your static website content in AWS (Amazon Web Services) using two services — CloudFront and S3.

First of all, you need access to AWS Management Console, which you can access through signing up for your own AWS account or get paid sandbox access using third parties (like Whizlab). It looks something like this below!

You will also need some static website files to upload (you can create your own or find templates online). Now that’s out of the way, let us look at simple steps to host a static website using S3 and CloudFront.

1. After logging to the AWS Management Console, search for S3 (S3 or Simple Storage Service is an object storage service in AWS) and select it.

2. After that you will go to S3 dashboard and now you need to select “Create bucket”.

3. That will bring you to next step, i.e. creating an S3 bucket as shown below. Add a unique name for in the “Bucket name” field (it has to be unique). Leave the rest of the settings as it is and hit “Create bucket” at the end.

4. After creating the bucket, you will see your created bucket in the dashboard as shown below and then select your newly created bucket to enter it.

5. Inside the bucket you will see a bunch of different settings like Objects, Metadata, Properties, Permissions and so on. You will also see that this is where you can upload your content in the bucket.

6. Click on “Upload” and that will bring you to another page where you will find that you can “drag and drop” your files and folders or you could select the “Add Files” and “Add Folder” to select the files/folders in your local system.

7. After selecting or drag/drop your files, click on the “Upload” button in the down right corner.

8. Once the upload is completed, you can go back to the bucket and see your files inside.

9. Now leave the the S3 screen as it is and in the search bar at the top, search “CloudFront” and select it.

10. This will take you the CloudFront dashboard, where you click on “Create distribution” button.

11. This will take you to the configuration for the distribution of CloudFront. Now, in the origin domain section, select the S3 bucket that we create earlier in the above steps. The configuration page of CloudFront will look as shown in the below image.

12. In the same settings page, go to “Origin access” and select “Origin access control settings (recommended)”. When you select that, a new setting will open as highlighted in the image above. You now need to click on “Create new OAC”, which will bring you to a new pop up where you can simply click on “Create” without changing anything.

13. After that, you will back to the Distribution page, where you need to scroll to the “Web Application Firewall (WAF)” section. In WAF setting, select “Do not enable security protections” if you don’t need extra security from WAF. In this demo, we will select this.

14. Now leave other settings as default and create the distribution. This will take you to a new page as shown below.

15. As you can see in the image above, you will now see the “The S3 bucket policy needs to be updated” message and a “Copy policy” beside it. Hit “Copy policy”. This will copy the policy, which you will paste in your S3 bucket policy.

16. In the S3 bucket dashboard that you left open earlier, go to the “Permissions” tab and scroll to the “Bucket policy” setting.

17. Hit edit in the Bucket policy and inside the empty area below “Policy”, paste the policy that you copied earlier and save it.

18. Now go back to CloudFront, and see your distribution being deployed. There you will see the domain name.

19. Copy the domain name and paste and hit it in a new tab in your browser. You can now see your website that is being hosted in the S3 from your browser.

(Note: In case you see some kind of error or message, wait for a couple of more minutes and refresh the page)

So that’s it!!! You have hosted a static website using Amazon CloudFront and S3 in a secure way.

There are very few words people like more than the word “Free”. The same holds true in the realm of cloud computing, especially since working in the cloud can get expensive quickly.

Be it running that Amazon EC2 instance or maybe you want to hop on the generative AI train with Amazon Bedrock, all of that can quickly empty your pockets- quite quickly might I add. So when you hear about Free Credits, you might as well take advantage of that!

And AWS is quite generous with its free credits! From a few dollars to thousands of dollars, there are quite a lot of credits that they provide for free!

Of course, there’s no such thing as free meals in this world, so what’s the catch you might ask? The catch is that the free credits probably won’t sustain you in the long run as it is generally geared towards letting the users get experience in the AWS cloud and use their services. So basically it's an incentive to attract people and businesses so that they will hopefully become a customer of AWS in the long run!

So yeah, don’t depend upon those credits to fully sustain you for the long run!

Now these pesky details are out of the way, let’s get to the good parts! There are quite a few different ways to get credits for free depending on the use cases and of course, there are different Terms and Conditions for each of these to apply so better check them out.

1. Firstly, you have AWS Rapid Ramp Credits, where you can apply for $300 worth of AWS credits! This provides a $300 credit to small businesses to quickly get started testing AWS against their specific IT and business requirements by subsidizing a proof of concept. The instructions to apply for the credits are mentioned on the site so it’s pretty straightforward!
2. Then for those of you in the startup scene, you can apply for the AWS Activate Credits. It has two different credit packages- one is the Activate Founders ( $1,000 AWS Activate Credits) and the other is the Activate Portfolio ($100,000 AWS Activate Credits). Both of these can be a substantial help for those who want to build their startup in the AWS!
3. Now for those of you who are in the research field, there’s AWS Cloud Credit for Research. Be it a student, faculty, or research staff, there’s something for everyone!
4. And for those of you in the non-profit sector feeling left behind, no need to fret too much! AWS got you covered with The AWS Nonprofit Credit Program.
5. For those of you who want to work with Content Delivery Network on the AWS, you can use the Amazon CloudFront Proof of Concept Program, where you can $300 worth of AWS Credits.
6. Lastly, you can also find some free credits, usually worth $25-$50 by being active in various AWS events, and by filling out some surveys provided in those events. So that means you gotta be active in the AWS Community! I have gotten around three of these credits in the past year or so. So always be on the lookout for such events!

As I have said already, these different ways to get free credits have their terms and conditions so don’t be too sad if you don’t meet their T&C. Also, there may be more of these types of free credits program run by AWS so always be on a lookout for them on the internet!

Hopefully, some of these methods will come in handy for you and you will get those free credits to help build in the AWS cloud!