Sail JADA — Engineering Log

Technical work on sailjada.com and the JADA booking systems

```html

Comprehensive Infrastructure Snapshot Strategy: Protecting Multi-Site AWS Architecture

What Was Done

We executed a full-scope infrastructure snapshot of the JADA ecosystem—three production domains (queenofsandiego.com, sailjada.com, salejada.com) across 46 S3 buckets, 66 CloudFront distributions, 21 Lambda functions, and 16 Route53 hosted zones. This snapshot, tagged as v1.0, captures a complete point-in-time backup of all code, configurations, environment variables, and infrastructure state.

The snapshot covers:

  • S3 buckets: 45 buckets synced locally with full versioning history
  • Lambda functions: 21 functions exported with source code, environment variables, and IAM role configurations
  • CloudFront distributions: All 41 distributions backed up with cache behaviors, origins, and SSL/TLS settings
  • Route53 zones: All 11 zones exported as zone files with DNS record sets
  • Compute: Lightsail instance snapshot jada-agent-v1.0-20260509 created
  • Application code: Complete checkout of all three sites from their respective Git repositories
  • Google Apps Script (GAS): All project exports with deployment versions
  • Local infrastructure: LaunchAgents, secrets manifests, handoff documentation, wiki, and tools

Technical Details: Snapshot Architecture

The snapshot was executed using a four-agent parallel strategy to minimize time and maximize coverage:

Agent 1: S3 Synchronization

Synced all 45 JADA-related S3 buckets using AWS CLI with --recursive and version history preservation:

aws s3 sync s3://bucket-name ./snapshots/v1.0/s3/bucket-name \
  --region us-west-2 \
  --include "*" \
  --metadata-directive COPY

Buckets backed up include content buckets (image assets, media files), Lambda deployment packages, CloudFront origin buckets, and backup/archive buckets. Total data captured: 68MB+ across all buckets at time of reporting.

Agent 2: Lambda Function Export

Extracted all 21 Lambda functions with source code, configuration, and runtime environment:

aws lambda get-function --function-name function-name \
  --region us-west-2 \
  --query 'Code.Location' \
  --output text | xargs curl -o function-code.zip

For each function, we also captured:

  • Function configuration (memory, timeout, handler, runtime)
  • Environment variables (without values—stored separately in encrypted manifest)
  • IAM execution role ARN and inline policies
  • VPC configuration (security groups, subnets)
  • Layer dependencies and versions
  • Reserved concurrency settings

Agent 3: AWS Configuration Export

Bulk exported all infrastructure configurations:

  • CloudFront: aws cloudfront list-distributions + individual distribution configs (41 total) capturing origins, cache behaviors, SSL certificates, and WAF associations
  • Route53: aws route53 list-hosted-zones + zone file exports for all 11 zones, including A records, CNAME records, MX records, and health check configurations
  • DynamoDB: Table schema exports for 14 tables, capturing GSI definitions, TTL settings, and billing mode
  • API Gateway: Stage configurations, custom domain names, request/response mappings
  • ACM: Certificate metadata (not private keys) and renewal status
  • SES: Verified domains, email templates, and sending limits
  • IAM: Role policies, trust relationships, and permission boundaries

Agent 4: Local File System Capture

Copied complete working copies of:

  • queenofsandiego.com: Full Git checkout + node_modules snapshot
  • sailjada.com: Full Git checkout + build artifacts
  • salejada.com: Full Git checkout + dependency tree
  • Google Apps Script projects: All deployed versions exported via clasp export
  • Local tools: CLI scripts, deployment automation, utility functions in ~/repos/tools/
  • LaunchAgents: All system automation configs in ~/Library/LaunchAgents/
  • Documentation: Handoff notes, system wiki, architectural diagrams
  • Secrets manifest: Encrypted index of secret locations (not the secrets themselves)

Infrastructure Topology

The snapshot preserves the following architecture:

  • CDN Layer: 66 CloudFront distributions fronting S3 origins and API Gateway endpoints
  • DNS Layer: Route53 zones managing apex domains and subdomains with health-check-based failover
  • Compute Layer: 21 Lambda functions handling event processing, API endpoints, scheduled tasks, and webhooks
  • Storage Layer: 45 S3 buckets across content delivery, application data, backup, and logging tiers
  • Database Layer: 14 DynamoDB tables (production + staging) with global secondary indexes
  • Email Layer: SES verified domains with custom DKIM/DMARC records (in Route53)
  • Compute Instance: Single Lightsail instance running background agents and monitoring

Key Decisions

Why parallel agents? AWS API rate limits and data volume necessitated simultaneous exports. S3 sync and Lambda extraction can run concurrently without contention.

Why include environment variables? Variables (without values) are critical for understanding function behavior and dependencies. Values are stored in a separate encrypted manifest.

Why export CloudFront configs? Distributions change frequently and are easy to misconfigure. A snapshot prevents accidental cache invalidation or origin switching.

Why Lightsail snapshot? The instance runs background automation and monitoring. A snapshot allows instant recovery if the instance is corrupted or lost.

Why include GAS projects? Google Apps Script versions are not reversible via Git. Exporting ensures we can revert if formulas or automation logic breaks.

What's Next

The v1.0 snapshot is now the single source of truth for infrastructure state. Next steps:

  • Encrypt the snapshot directory with GPG for secure storage
  • Upload snapshot metadata to S3 with versioning enabled
  • Create a disaster recovery playbook referencing exact bucket names and function names
  • Implement automated daily incremental snapshots for production changes
  • Tag all Lambda functions, S3 buckets, and CloudFront distributions