AWS Scripts
AWS scripts wrap deployment operations and use scripts/aws/lib.sh for shared behavior (region defaults, Terraform output reading, tool availability checks). All scripts take an environment name (dev or prod) as their first argument.
For the full deployment sequences and context on when to use each script, see Operations Runbooks.
bootstrap-terraform-state.sh
ENV=dev AWS_REGION=us-west-1 scripts/aws/bootstrap-terraform-state.sh
Creates the S3 state bucket and DynamoDB lock table for Terraform. Run this once per environment before the first terraform plan. It's safe to run again if the resources already exist.
terraform-plan.sh
scripts/aws/terraform-plan.sh dev
Runs terraform init, terraform fmt -check, terraform validate, and terraform plan -out tfplan-dev. The saved plan file is used by terraform-apply.sh.
Always run this before applying. Read the full output before proceeding.
terraform-apply.sh
scripts/aws/terraform-apply.sh dev
# Production requires explicit confirmation:
scripts/aws/terraform-apply.sh prod --confirm-prod
Applies the saved plan from terraform-plan.sh. The --confirm-prod flag prevents accidental production changes.
build-images.sh
scripts/aws/build-images.sh dev
Builds all service Docker images locally. Each image gets two tags:
- <git-sha> — for traceability (know exactly what code is running)
- dev-current — the "current" tag referenced by ECS task definitions
Images built:
- vega-api
- vega-worker
- vega-maintenance
- vega-llm-proxy
- vega-core-runner
Images are always built for the linux/amd64 platform to match the ECS Fargate task definitions (which use X86_64). Override with DOCKER_PLATFORM=linux/arm64 if you need a different target.
Architecture mismatch causes exec format error
If you build images on an Apple Silicon (ARM) Mac without explicitly targeting linux/amd64, ECS tasks will fail at startup with exec format error. The script sets linux/amd64 as the default to prevent this.
push-images.sh
scripts/aws/push-images.sh dev
Authenticates with ECR, tags all local images with the full ECR registry URL, and pushes both the SHA and dev-current tags. ECS will use the dev-current tag when the next deployment starts.
deploy-services.sh
scripts/aws/deploy-services.sh dev
Forces a new ECS deployment for vega-api, vega-worker, and vega-llm-proxy. ECS stops old tasks and starts new ones using the current task definition. The script waits for all services to report stable before exiting.
Service names are read from Terraform outputs (api_service_name, worker_service_name, llm_proxy_service_name) rather than being guessed from a naming convention. This means the names are always consistent with what Terraform created, even if the naming scheme changes.
run-migrations.sh
scripts/aws/run-migrations.sh dev
scripts/aws/run-migrations.sh prod
Launches the vega-maintenance ECS task with the migration command (python scripts/run-db-migrations.py), waits for the task to stop, and exits with a non-zero code if the container failed.
Run this before deploy-services.sh when deploying new schema changes.
smoke-test.sh
scripts/aws/smoke-test.sh dev
# Override the API URL:
API_BASE_URL=https://api.dev.vega.example.com scripts/aws/smoke-test.sh dev
Checks that the deployed API health endpoint (/v1/healthz) returns 200. Reads api_base_url from Terraform outputs if available.
A passing smoke test confirms the API container is running and responding. It does not verify that scans can complete end-to-end.