[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/01: cdn: Update the README.org.
From: |
Chris Marusich |
Subject: |
01/01: cdn: Update the README.org. |
Date: |
Sat, 5 Jan 2019 02:43:54 -0500 (EST) |
marusich pushed a commit to branch master
in repository maintenance.
commit ce210ea35db9dcc6153d59eb186cad15be6f740a
Author: Chris Marusich <address@hidden>
Date: Fri Jan 4 23:40:29 2019 -0800
cdn: Update the README.org.
* cdn/README.org: Update many parts of it.
---
cdn/README.org | 1915 +++++++++++++++++++++++++++++---------------------------
1 file changed, 982 insertions(+), 933 deletions(-)
diff --git a/cdn/README.org b/cdn/README.org
index 8d35bd9..4a35eaf 100644
--- a/cdn/README.org
+++ b/cdn/README.org
@@ -1,4 +1,5 @@
* Overview
+
The Guix project maintains an [[https://aws.amazon.com/][AWS]] account to
provide a [[https://en.wikipedia.org/wiki/Content_delivery_network][CDN]] for
the
berlin build farm. Our CDN is built using
[[https://aws.amazon.com/cloudfront/][Amazon CloudFront]].
@@ -32,6 +33,7 @@ list of administrators), but it should be far easier to set
things up
by re-using this configuration than by starting from nothing.
* How to Use Terraform
+
** Prerequisites
To get started with managing Guix's AWS infrastructure using
@@ -91,1294 +93,1271 @@ saying "no" at the prompt if it doesn't exit
immediately with a
message saying there are no proposed changes), and eventually the
distribution should arrive at the desired end state.
-** Notes about Terraform's S3 Backend
+** Examples for Specific Use Cases
+
+*** Add an administrator
+
+Suppose you want to give Alice administrative access to Guix's AWS
+Account. Here is the recommended way to do that:
+
+- Obtain a copy of Alice's public PGP key. This will be used to
+ encrypt her credentials so that you can send them to her securely.
+- Optionally, strip the signatures from the PGP key, as described in
+ the section "How to import keys without all the signatures" farther
+ down in this document. This just makes it smaller.
+- Add a new entry for Alice's PGP key to terraform/variables.tf, of
+ the same form as the others.
+- Add a new IAM user for Alice to terraform/main.tf. You can just
+ copy and modify the "resource" and "output" blocks from an existing
+ administrator user.
+- Add Alice's IAM user to the "administrators" IAM group by adding an
+ entry for the user in the "administrators-membership" resource (also
+ in terraform/main.tf).
+- Run "AWS_PROFILE=guix terraform apply" to see what will change.
+- To actually make the changes, enter "yes" at the Terraform prompt.
+ You will see output like the following:
-Terraform stores state. Since this AWS Account is administered by
-more than one person using more than one computer, it makes sense to
-share state. The most sensible way to do this in Terraform is to use
-a so-called "backend" that enables everyone to coordinate even when
-using different computers. For details, see:
+#+BEGIN_EXAMPLE
+alice-access-key-1-id = AKIA...
+alice-access-key-1-secret = wcBM...
+alice-name = alice
+alice-password = wcBMA...
+#+END_EXAMPLE
-https://www.terraform.io/docs/state/index.html
-https://www.terraform.io/docs/state/remote.html
-https://www.terraform.io/docs/backends/config.html
+- Send that output to Alice. Explain to her that the "id" is her IAM
+ user's AWS Access Key ID, the "secret" is her IAM user's AWS Secret
+ Access Key, the "name" is her IAM user's username, and the
+ "password" is the password that she will use when logging into the
+ AWS Management Console as her IAM user. These secret and password
+ are encrypted with her PGP key and base64 encoded, so to use them
+ she must first decrypt them - for example, like this:
-Depending on the backend, it can also provide locking. The docs say
-this:
+#+BEGIN_EXAMPLE
+echo "$the_secret" | base64 --decode | gpg --decrypt
+#+END_EXAMPLE
-https://www.terraform.io/docs/state/locking.html
-"If supported by your backend, Terraform will lock your state for all
-operations that could write state. This prevents others from acquiring
-the lock and potentially corrupting your state."
+Once Alice has obtained her access key, she can use Terraform, the AWS
+CLI, and any other normal mechanism for interacting with AWS. She can
+also log into the AWS Management Console with her password (see the
+section titled "IAM Login URL" elsewhere in this document).
-Presumably, this also means that the locking will prevent two people
-from mutating resources (e.g., IAM group membership) at the same time.
+*** Remove an administrator
-We use the S3 backend:
+To revoke Alice's access by deleting her IAM user, just delete the
+configuration from terraform/main.tf and terraform/variables.tf, and
+then run "AWS_PROFILE=guix terraform apply". When you say "yes" to
+the prompt, it will delete Alice's IAM user, which means Alice will no
+longer be able to use her access key or password.
-https://www.terraform.io/docs/backends/types/s3.html
+*** Update the CloudFront distribution
-For details on how it's configured, see main.tf.
+Make a change to the configuration in terraform/main.tf. Then run
+"AWS_PROFILE=guix terraform apply" and say "yes" at the prompt.
+Terraform will make the changes.
-S3 is an appropriate storage location since using it in this way is
-not SaaSS (it's only storing and publishing data), and we don't
-already have an installation of something else that can do the job
-(e.g., Consul). To support locking, we also use DynamoDB, which again
-is not SaaSS in this case (it's only storing and publishing data).
+It might take a while (minutes) for the update to actually complete,
+even though the terraform command might exit quickly. In this case,
+you can run "terraform apply" or "terraform plan" multiple times to
+check on the distribution's status.
-* Software Environment
+*** Subscribe to receive billing alerts
-The following software versions were used, on a GuixSD system:
+In AWS, usually an alarm works like this. When a CloudWatch metric,
+such as "total estimated charges for the month", exceeds an alarm
+threshold, CloudWatch will send a message to an SNS topic. To receive
+the message, you must be subscribed to the topic.
-Guix: f5d4c46c2c0ccd62f5c5b44a486af4511d395f8f
-(Also known as "v0.16.0-177-gf5d4c46c2" by "git describe")
+Terraform doesn't manage email subscriptions to SNS topics.
+Therefore, if you want to receive an alert via email, you must
+manually subscribe to the topic. The simplest way to do that is via
+the AWS Management Console, but it is probably possible to do it with
+the AWS CLI, also. Read here for details:
-IceCat: 60.3.0-gnu1
(/gnu/store/4p6nn4sbv1qw196wp55v5sgbhd4cpams-icecat-60.3.0-gnu1)
+https://www.terraform.io/docs/providers/aws/r/sns_topic_subscription.html
+https://docs.aws.amazon.com/sns/latest/dg/sns-getting-started.html#SubscribeTopic
-IceCat plugins installed:
+*** Evict objects from CloudFront's cache
-- HTTPS Everywhere 2018.10.31
-- NoScript 10.2.1
-- Privacy Badger 2018.10.3.1
-- GNU LibreJS 7.18.1
+Sometimes, you might want to evict cached responses from the
+CloudFront distribution. CloudFront refers to this process as
+"invalidation". For details, see here:
-IceCat plugins explicitly disabled for the purpose of interacting with
-the AWS website, which breaks when they are enabled:
+https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Invalidation.html
-- NoScript
-- GNU LibreJS
+Note that invalidation costs an additional amount of money, but it is
+negligible if you are only doing a few invalidation requests.
+Notably, "the charge to submit an invalidation path is the same
+regardless of the number of files you're invalidating" - this means
+you can invalidate everything if you want, and it will cost basically
+nothing:
-Keepass XC: 2.3.4
+https://aws.amazon.com/cloudfront/pricing/
-Some possibly relevant IceCat about:config details:
+Here is an example that invalidates all cached objects for a
+distribution with ID E2LCS83UL0PPNA (change the ID and paths as
+needed):
-network.http.referer.spoofSource;false
-privacy.resistFingerprinting;false
+#+BEGIN_EXAMPLE
+[0] address@hidden:~
+$ AWS_DEFAULT_REGION=us-east-1 AWS_PROFILE=guix aws cloudfront
create-invalidation --distribution-id E2LCS83UL0PPNA --paths '/*'
+{
+ "Location":
"https://cloudfront.amazonaws.com/2017-03-25/distribution/E2LCS83UL0PPNA/invalidation/I2PCH5JZ52HUX7",
+ "Invalidation": {
+ "Id": "I2PCH5JZ52HUX7",
+ "Status": "InProgress",
+ "CreateTime": "2018-12-28T02:43:51.326Z",
+ "InvalidationBatch": {
+ "Paths": {
+ "Quantity": 1,
+ "Items": [
+ "/*"
+ ]
+ },
+ "CallerReference": "cli-1545965030-886799"
+ }
+ }
+}
+[0] address@hidden:~
+$
+#+END_EXAMPLE
-Terraform version (not managed by Guix): v0.11.11
-Terraform AWS Provider version (not managed by Guix): 1.54.0
+You can also check on the invalidation status like so:
-* Create the AWS Account
+#+BEGIN_EXAMPLE
+[0] address@hidden:~
+$ AWS_DEFAULT_REGION=us-east-1 AWS_PROFILE=guix aws cloudfront
get-invalidation --id I2PCH5JZ52HUX7 --distribution-id E2LCS83UL0PPNA
+{
+ "Invalidation": {
+ "Id": "I2PCH5JZ52HUX7",
+ "Status": "Completed",
+ "CreateTime": "2018-12-28T02:43:51.326Z",
+ "InvalidationBatch": {
+ "Paths": {
+ "Quantity": 1,
+ "Items": [
+ "/*"
+ ]
+ },
+ "CallerReference": "cli-1545965030-886799"
+ }
+ }
+}
+[0] address@hidden:~
+$
+#+END_EXAMPLE
-Website: https://aws.amazon.com/
+See the following for details:
-Click on the "Sign Up" button.
+https://docs.aws.amazon.com/cli/latest/reference/cloudfront/create-invalidation.html
+https://docs.aws.amazon.com/cli/latest/reference/cloudfront/get-invalidation.html
-Store the credentials in KeePass.
+* How to use AWS without Terraform
-The website doesn't work when NoScript and LibreJS are enabled. There
-might be a way to selectively enable a minimal set of scripts to allow
-the website to do its job, but I don't know what that set is.
-Instead, I temporarily disabled NoScript and LibreJS for this website
-so that I could get this portion of the job done.
+Sometimes, it's useful to verify the result of Terraform's activities
+without using Terraform. There are at least two convenient ways to do
+that:
-Click the box next to the sentence: "Check here to indicate that you
-have read and agree to the terms of the AWS Customer Agreement" - the
-link goes here:
+- Use the AWS CLI.
+- Use the AWS Management Console.
-https://aws.amazon.com/agreement/
+When you need to check something without using Terraform, you should
+prefer to use the AWS CLI if possible because it's definitely free
+software. The AWS Management Console might contain some non-free
+JavaScript - I haven't looked close enough at it to know for sure.
-Here is a copy of the agreement in full as it appeared on 2018-12-26:
+** Using the AWS CLI
-#+BEGIN_QUOTE
+The AWS CLI is packaged in Guix. It's called "awscli". This tool
+lets you interact with the AWS services from your shell. Here's some
+documentation:
+https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html
+https://docs.aws.amazon.com/cli/latest/index.html
-*If your address is in India, please review the AISPL Customer Agreement,
which governs your access to and use of the Service Offerings.
+It understands many (perhaps all?) of the same environment variables
+that the Terraform AWS provider understands.
-*Please note that as of July 1, 2018, customers located in Europe, the Middle
East, or Africa contract with our European based AWS Contracting Party, as
provided in Section 14. See the AWS Europe FAQ for more information.
-AWS Customer Agreement
-Last Updated: November 1, 2018
-See What's Changed
+Invoke it like this (customize the environment variables as needed):
-This AWS Customer Agreement (this “Agreement”) contains the terms and
conditions that govern your access to and use of the Service Offerings (as
defined below) and is an agreement between the applicable AWS Contracting Party
specified in Section 14 below (also referred to as “AWS,” “we,” “us,” or “our”)
and you or the entity you represent (“you” or “your”). This Agreement takes
effect when you click an “I Accept” button or check box presented with these
terms or, if earlier, when you use [...]
-1. Use of the Service Offerings.
+#+BEGIN_EXAMPLE
+[0] address@hidden:~
+$ AWS_DEFAULT_REGION=us-east-1 AWS_PROFILE=guix aws iam list-users
+{
+ "Users": [
+ {
+ "Path": "/",
+ "UserName": "civodul",
+ "UserId": "AIDAJXYCBKCDPUFEJVA3K",
+ "Arn": "arn:aws:iam::354378008360:user/civodul",
+ "CreateDate": "2018-12-27T07:37:19Z"
+ },
+ {
+ "Path": "/",
+ "UserName": "marusich",
+ "UserId": "AIDAJCXVTZTTRDUOTBAL2",
+ "Arn": "arn:aws:iam::354378008360:user/marusich",
+ "CreateDate": "2018-12-27T07:30:53Z",
+ "PasswordLastUsed": "2018-12-28T01:36:32Z"
+ },
+ {
+ "Path": "/",
+ "UserName": "rekado",
+ "UserId": "AIDAIZK2BC4U6R53UVING",
+ "Arn": "arn:aws:iam::354378008360:user/rekado",
+ "CreateDate": "2018-12-27T07:37:19Z"
+ }
+ ]
+}
+[0] address@hidden:~
+$
+#+END_EXAMPLE
-1.1 Generally. You may access and use the Service Offerings in accordance with
this Agreement. Service Level Agreements and Service Terms apply to certain
Service Offerings. You will comply with the terms of this Agreement and all
laws, rules and regulations applicable to your use of the Service Offerings.
+** IAM Login URL
-1.2 Your Account. To access the Services, you must have an AWS account
associated with a valid email address and a valid form of payment. Unless
explicitly permitted by the Service Terms, you will only create one account per
email address.
+Log into this URL with your IAM user name and password:
-1.3 Third-Party Content. Third-Party Content may be used by you at your
election. Third-Party Content is governed by this Agreement and, if applicable,
separate terms and conditions accompanying such Third-Party Content, which
terms and conditions may include separate fees and charges.
-2. Changes.
+https://354378008360.signin.aws.amazon.com/console
-2.1 To the Service Offerings. We may change or discontinue any or all of the
Service Offerings or change or remove functionality of any or all of the
Service Offerings from time to time. We will notify you of any material change
to or discontinuation of the Service Offerings.
+Alternatively, you can use this friendlier URL:
-2.2 To the APIs. We may change or discontinue any APIs for the Services from
time to time. For any discontinuation of or material change to an API for a
Service, we will use commercially reasonable efforts to continue supporting the
previous version of such API for 12 months after the change or discontinuation
(except if doing so (a) would pose a security or intellectual property issue,
(b) is economically or technically burdensome, or (c) would cause us to violate
the law or requests of [...]
+https://guix.signin.aws.amazon.com/console
-2.3 To the Service Level Agreements. We may change, discontinue or add Service
Level Agreements from time to time in accordance with Section 12.
-3. Security and Data Privacy.
+* Deployment Plan
-3.1 AWS Security. Without limiting Section 10 or your obligations under
Section 4.2, we will implement reasonable and appropriate measures designed to
help you secure Your Content against accidental or unlawful loss, access or
disclosure.
+** DNS
-3.2 Data Privacy. You may specify the AWS regions in which Your Content will
be stored. You consent to the storage of Your Content in, and transfer of Your
Content into, the AWS regions you select. We will not access or use Your
Content except as necessary to maintain or provide the Service Offerings, or as
necessary to comply with the law or a binding order of a governmental body. We
will not (a) disclose Your Content to any government or third party or (b)
subject to Section 3.3, move [...]
+For information about how Guix has configured its DNS, please contact
+one of the system administrators or address@hidden
-3.3 Service Attributes. To provide billing and administration services, we may
process Service Attributes in the AWS region(s) where you use the Service
Offerings and the AWS regions in the United States. To provide you with support
services initiated by you and investigate fraud, abuse or violations of this
Agreement, we may process Service Attributes where we maintain our support and
investigation personnel.
-4. Your Responsibilities.
+For now, we plan to use ci.guix.info as the entry point into the CDN.
+Currently, ci.guix.info points to the berlin build farm. To integrate
+ci.guix.info with the CDN, we must change ci.guix.info to be a CNAME
+that points to the CloudFront distribution.
-4.1 Your Accounts. Except to the extent caused by our breach of this
Agreement, (a) you are responsible for all activities that occur under your
account, regardless of whether the activities are authorized by you or
undertaken by you, your employees or a third party (including your contractors,
agents or End Users), and (b) we and our affiliates are not responsible for
unauthorized access to your account.
+** HTTPS (TLS)
-4.2 Your Content. You will ensure that Your Content and your and End Users’
use of Your Content or the Service Offerings will not violate any of the
Policies or any applicable law. You are solely responsible for the development,
content, operation, maintenance, and use of Your Content.
+Because ci.guix.info and berlin.guixsd.org currently allow both HTTP
+and HTTPS (i.e., HTTP over TLS), we will do the same for the
+CloudFront distribution. However, in the future, to protect the
+confidentiality of connections between clients and our build farm (or
+the CDN), we should stop serving requests over HTTP.
-4.3 Your Security and Backup. You are responsible for properly configuring and
using the Service Offerings and otherwise taking appropriate action to secure,
protect and backup your accounts and Your Content in a manner that will provide
appropriate security and protection, which might include use of encryption to
protect Your Content from unauthorized access and routinely archiving Your
Content.
+In addition, because we want to support HTTPS, we will need to arrange
+for a TLS certificate for ci.guix.info to be used with the CloudFront
+distribution. For details on how this is done with CloudFront, see:
-4.4 Log-In Credentials and Account Keys. AWS log-in credentials and private
keys generated by the Services are for your internal use only and you will not
sell, transfer or sublicense them to any other entity or person, except that
you may disclose your private key to your agents and subcontractors performing
work on your behalf.
+https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-alternate-domain-names.html
-4.5 End Users. You will be deemed to have taken any action that you permit,
assist or facilitate any person or entity to take related to this Agreement,
Your Content or use of the Service Offerings. You are responsible for End
Users’ use of Your Content and the Service Offerings. You will ensure that all
End Users comply with your obligations under this Agreement and that the terms
of your agreement with each End User are consistent with this Agreement. If you
become aware of any violati [...]
-5. Fees and Payment.
+Currently, the server behind berlin.guixsd.org (which currently, like
+ci.guix.info, is a single A record pointing to 141.80.181.40) returns
+a Let's Encrypt certificate with the following two Subject Alternative
+Names:
-5.1 Service Fees. We calculate and bill fees and charges monthly. We may bill
you more frequently for fees accrued if we suspect that your account is
fraudulent or at risk of non-payment. You will pay us the applicable fees and
charges for use of the Service Offerings as described on the AWS Site using one
of the payment methods we support. All amounts payable by you under this
Agreement will be paid to us without setoff or counterclaim, and without any
deduction or withholding. Fees and [...]
+- berlin.guixsd.org
+- ci.guix.info
-5.2 Taxes. Each party will be responsible, as required under applicable law,
for identifying and paying all taxes and other governmental fees and charges
(and any penalties, interest, and other additions thereto) that are imposed on
that party upon or with respect to the transactions and payments under this
Agreement. All fees payable by you are exclusive of Indirect Taxes. We may
charge and you will pay applicable Indirect Taxes that we are legally obligated
or authorized to collect fro [...]
-6. Temporary Suspension.
+You can see this by running:
-6.1 Generally. We may suspend your or any End User’s right to access or use
any portion or all of the Service Offerings immediately upon notice to you if
we determine:
+ echo -n | openssl s_client ci.guix.info:443 | openssl x509 -text
-(a) your or an End User’s use of the Service Offerings (i) poses a security
risk to the Service Offerings or any third party, (ii) could adversely impact
our systems, the Service Offerings or the systems or Content of any other AWS
customer, (iii) could subject us, our affiliates, or any third party to
liability, or (iv) could be fraudulent;
+We are not going to re-use this certificate. Instead, we are going to
+provision a new certificate using Amazon Certificate Manager (ACM).
+We will do this because if we use an ACM certificate, we gain the
+following benefits:
-(b) you are, or any End User is, in breach of this Agreement;
+- ACM will automatically rotate our certificate.
+- The ACM CA, like many CAs, is already trusted by Guix's client
+ software and so requires no additional action for clients to use.
+- By using ACM, we do not have to trust Amazon with the
+ berlin.guixsd.org server's private key.
+- Using ACM is a purely additive operation, so rollback is easy.
+- This use of ACM incurs zero additional cost.
-(c) you are in breach of your payment obligations under Section 5; or
+On the contrary, if we re-use berlin.guixsd.org's certificate, we must
+accept the following downsides:
-(d) you have ceased to operate in the ordinary course, made an assignment for
the benefit of creditors or similar disposition of your assets, or become the
subject of any bankruptcy, reorganization, liquidation, dissolution or similar
proceeding.
+- Certificate rotation must be done manually, or via a cron job of
+ some kind that we would have to implement and maintain. Even if
+ Let's Encrypt makes it easy to rotate the certificate, importing
+ that certificate into AWS and using it with the CloudFront
+ distribution will require additional steps.
+- We must share the berlin.guixsd.org server's private key with AWS.
+ If rolling back also means eliminating the risk introduced by
+ sharing the private key, then rollback will also become more
+ complicated.
-6.2 Effect of Suspension. If we suspend your right to access or use any
portion or all of the Service Offerings:
+We could provision a new Let's Encrypt certificate to make rollback
+easier, but we would still have to import it into Amazon ourselves and
+rotate it manually. It just makes more sense to use Amazon
+Certificate Manger for this test. Perhaps in the future, if we decide
+to stick with CloudFront for a long time, we will implement our own
+automatic rotation mechanism so that we can provision and manage our
+own certificate.
-(a) you remain responsible for all fees and charges you incur during the
period of suspension; and
+Finally, note that to provision a certificate with ACM will require
+access to both the AWS account and also the DNS provider account.
+This is because, as part of the certificate provisioning process, ACM
+requires us to demonstrate domain ownership. This can be done via
+email verification (in which ACM emails a bunch of admin emails
+associated with the domain) or DNS record verification (in which we
+create a nonce DNS record, specified by ACM, to demonstrate
+ownership).
-(b) you will not be entitled to any service credits under the Service Level
Agreements for any period of suspension.
-7. Term; Termination.
+** Concrete Steps
-7.1 Term. The term of this Agreement will commence on the Effective Date and
will remain in effect until terminated under this Section 7. Any notice of
termination of this Agreement by either party to the other must include a
Termination Date that complies with the notice periods in Section 7.2.
+Summary of deployment, validation, and rollback plan.
-7.2 Termination.
+*** Pre-Deployment
-(a) Termination for Convenience. You may terminate this Agreement for any
reason by providing us notice and closing your account for all Services for
which we provide an account closing mechanism. We may terminate this Agreement
for any reason by providing you at least 30 days’ advance notice.
+Before deploying, make sure the following has been done:
-(b) Termination for Cause.
+- Fully prepare a working CloudFront distribution using Terraform.
+- Run the validation steps successfully against the CloudFront
+ distribution (i.e., via the "abcd1234.cloudfront.net" hostname
+ instead of ci.guix.info).
-(i) By Either Party. Either party may terminate this Agreement for cause if
the other party is in material breach of this Agreement and the material breach
remains uncured for a period of 30 days from receipt of notice by the other
party. No later than the Termination Date, you will close your account.
+*** Deployment
-(ii) By Us. We may also terminate this Agreement immediately upon notice to
you (A) for cause if we have the right to suspend under Section 6, (B) if our
relationship with a third-party partner who provides software or other
technology we use to provide the Service Offerings expires, terminates or
requires us to change the way we provide the software or other technology as
part of the Services, or (C) in order to comply with the law or requests of
governmental entities.
+Deploy as follows:
-7.3 Effect of Termination.
+- Send an email to address@hidden and address@hidden, and notify the
+ #guix chat room on Freenode, to let people know you are beginning.
+- Update DNS so ci.guix.info is a CNAME pointing to the CloudFront
+ distribution's DNS name.
-(a) Generally. Upon the Termination Date:
+*** Validation
-(i) except as provided in Section 7.3(b), all your rights under this Agreement
immediately terminate;
+Validate ci.guix.info as follows:
-(ii) you remain responsible for all fees and charges you have incurred through
the Termination Date and are responsible for any fees and charges you incur
during the post-termination period described in Section 7.3(b);
+- Using "guix download", download a substitute. Confirm it succeeds.
+- Using "guix weather", check the weather of ci.guix.info. Confirm it
+ succeeds and has more than 0% substitutes available.
+- Using "guix build", build something using substitutes. Confirm that
+ Guix successfully updates substitute information and downloads
+ substitutes.
+- Using IceCat, view the Cuirass web interface. Confirm it loads and
+ behaves as expected.
+- After 24 hours, check the cache hit rate using the AWS Management
+ Console and confirm that it is greater than 0%.
-(iii) you will immediately return or, if instructed by us, destroy all AWS
Content in your possession; and
+*** Rollback
-(iv) Sections 4.1, 5, 7.3, 8 (except the license granted to you in Section
8.3), 9, 10, 11, 13 and 14 will continue to apply in accordance with their
terms.
+Rollback as follows:
-(b) Post-Termination. Unless we terminate your use of the Service Offerings
pursuant to Section 7.2(b), during the 30 days following the Termination Date:
+- Restore the original DNS record for ci.guix.info.
+- Once you observe that ci.guix.info starts to resolve to the original
+ address, repeat validation activities for ci.guix.info.
+- After that, once at least 2x the TTL for ci.guix.info has passed
+ since the DNS flip occurred, disable the CloudFront distribution.
+- Send an email to address@hidden and address@hidden, and notify the
+ #guix chat room on Freenode, to let people know you have rolled
+ back.
-(i) we will not take action to remove from the AWS systems any of Your Content
as a result of the termination; and
+* Miscellaneous Information
-(ii) we will allow you to retrieve Your Content from the Services only if you
have paid all amounts due under this Agreement.
+** Avoiding "Service as a Software Substitute"
-For any use of the Services after the Termination Date, the terms of this
Agreement will apply and you will pay the applicable fees at the rates under
Section 5.
-8. Proprietary Rights.
+Dave made an awesome Guile module for using CloudFormation:
-8.1 Your Content. Except as provided in this Section 8, we obtain no rights
under this Agreement from you (or your licensors) to Your Content. You consent
to our use of Your Content to provide the Service Offerings to you and any End
Users.
+https://lists.gnu.org/archive/html/guix-devel/2018-12/msg00102.html
+https://gist.github.com/davexunit/db4b9d3e67902216fbdbc66cd9c6413e
-8.2 Adequate Rights. You represent and warrant to us that: (a) you or your
licensors own all right, title, and interest in and to Your Content and
Suggestions; (b) you have all rights in Your Content and Suggestions necessary
to grant the rights contemplated by this Agreement; and (c) none of Your
Content or End Users’ use of Your Content or the Service Offerings will violate
the Acceptable Use Policy.
+We could have used Dave's module. However, Terraform...
-8.3 Service Offerings License. We or our licensors own all right, title, and
interest in and to the Service Offerings, and all related technology and
intellectual property rights. Subject to the terms of this Agreement, we grant
you a limited, revocable, non-exclusive, non-sublicensable, non-transferrable
license to do the following: (a) access and use the Services solely in
accordance with this Agreement; and (b) copy and use the AWS Content solely in
connection with your permitted use [...]
+- is mature software - it has been around for years.
+- has a vibrant ecosystem surrounding it already
+- is popular and is used by lots of people
+- avoids vendor lock-in by supporting many different providers
-8.4 License Restrictions. Neither you nor any End User will use the Service
Offerings in any manner or for any purpose other than as expressly permitted by
this Agreement. Neither you nor any End User will, or will attempt to (a)
modify, distribute, alter, tamper with, repair, or otherwise create derivative
works of any Content included in the Service Offerings (except to the extent
Content included in the Service Offerings is provided to you under a separate
license that expressly permi [...]
+Finally, and most importantly: Terraform is free software that you can
+run on your own computer. On the other hand, CloudFormation is
+essentially a "service as a software substitute" (SaaSS) that solves
+the same problem by offloading the work to a service. There is no
+good reason to use CloudFormation when we can use or make free
+software like Terraform to do the job for us just as well - maybe even
+better:
-8.5 Suggestions. If you provide any Suggestions to us or our affiliates, we
and our affiliates will be entitled to use the Suggestions without restriction.
You hereby irrevocably assign to us all right, title, and interest in and to
the Suggestions and agree to provide us any assistance we require to document,
perfect, and maintain our rights in the Suggestions.
-9. Indemnification.
+https://www.terraform.io/intro/vs/cloudformation.html
+https://www.gnu.org/philosophy/who-does-that-server-really-serve.html
-9.1 General. You will defend, indemnify, and hold harmless us, our affiliates
and licensors, and each of their respective employees, officers, directors, and
representatives from and against any Losses arising out of or relating to any
third-party claim concerning: (a) your or any End Users’ use of the Service
Offerings (including any activities under your AWS account and use by your
employees and personnel); (b) breach of this Agreement or violation of
applicable law by you, End Users o [...]
+Primarily because CloudFormation is SaaSS, and secondarily because
+Terraform is mature and widely used, I chose to use Terraform.
-9.2 Intellectual Property.
+But if that's the case, then why are we using CloudFront, IAM, etc.?
+Aren't those services, too? Well, yes. They are. But they are not
+SaaSS. I will try to explain why.
-(a) Subject to the limitations in this Section 9, AWS will defend you and your
employees, officers, and directors against any third-party claim alleging that
the Services infringe or misappropriate that third party’s intellectual
property rights, and will pay the amount of any adverse final judgment or
settlement.
+CloudFront is a CDN, and you cannot do what a CDN does by running a
+program on your computer. To do what a CDN does would require a huge
+investment of capital and people power to build and operate an
+international network of computers. In this way, a CDN is not SaaSS.
-(b) Subject to the limitations in this Section 9, you will defend AWS, its
affiliates, and their respective employees, officers, and directors against any
third-party claim alleging that any of Your Content infringes or
misappropriates that third party’s intellectual property rights, and will pay
the amount of any adverse final judgment or settlement.
+IAM is also a service. But again, you cannot replace what it does by
+running software on your computer. IAM is Amazon's way of knowing who
+should be allowed to do what with the Amazon web services that you
+choose to use. For example, creating an IAM group for administrators,
+and an IAM policy saying they can do anything they want, and adding an
+IAM user to that group named "Chris Marusich", is analogous to calling
+up your electric company and saying, "Please let Chris Marusich do
+whatever he needs to do with this account." They record the
+information in their own system, and then when Chris calls asking them
+to change a billing address, they do some verification and determine
+that he's allowed to do that. IAM is the same. It doesn't replace
+software that you could have run on your own computer; it's an
+integral part of using the Amazon web services, and it has no function
+outside of that. Therefore, IAM is also not SaaSS.
-(c) Neither party will have obligations or liability under this Section 9.2
arising from infringement by combinations of the Services or Your Content, as
applicable, with any other product, service, software, data, content or method.
In addition, AWS will have no obligations or liability arising from your or any
End User’s use of the Services after AWS has notified you to discontinue such
use. The remedies provided in this Section 9.2 are the sole and exclusive
remedies for any third-par [...]
+Generally speaking, although SaaSS is bad because it takes freedom
+away from the computer user, services that are not SaaSS may be bad or
+good depending on the context. Services are different from software,
+so they must be treated differently. We shouldn't be afraid to use a
+service if (1) it isn't SaaSS and (2) it makes sense to use that
+particular service in that particular context.
-(d) For any claim covered by Section 9.2(a), AWS will, at its election,
either: (i) procure the rights to use that portion of the Services alleged to
be infringing; (ii) replace the alleged infringing portion of the Services with
a non-infringing alternative; (iii) modify the alleged infringing portion of
the Services to make it non-infringing; or (iv) terminate the allegedly
infringing portion of the Services or this Agreement.
+** Notes about Terraform's S3 Backend
-9.3 Process. The obligations under this Section 9 will apply only if the party
seeking defense or indemnity: (a) gives the other party prompt written notice
of the claim; (b) permits the other party to control the defense and settlement
of the claim; and (c) reasonably cooperates with the other party (at the other
party’s expense) in the defense and settlement of the claim. In no event will a
party agree to any settlement of any claim that involves any commitment, other
than the payment [...]
-10. Disclaimers.
+Terraform stores state. Since this AWS Account is administered by
+more than one person using more than one computer, it makes sense to
+share state. The most sensible way to do this in Terraform is to use
+a so-called "backend" that enables everyone to coordinate even when
+using different computers. For details, see:
-THE SERVICE OFFERINGS ARE PROVIDED “AS IS.” EXCEPT TO THE EXTENT PROHIBITED BY
LAW, OR TO THE EXTENT ANY STATUTORY RIGHTS APPLY THAT CANNOT BE EXCLUDED,
LIMITED OR WAIVED, WE AND OUR AFFILIATES AND LICENSORS (A) MAKE NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY
OR OTHERWISE REGARDING THE SERVICE OFFERINGS OR THE THIRD-PARTY CONTENT, AND
(B) DISCLAIM ALL WARRANTIES, INCLUDING ANY IMPLIED OR EXPRESS WARRANTIES (I) OF
MERCHANTABILITY, SATISFACTORY QUALIT [...]
-11. Limitations of Liability.
+https://www.terraform.io/docs/state/index.html
+https://www.terraform.io/docs/state/remote.html
+https://www.terraform.io/docs/backends/config.html
-WE AND OUR AFFILIATES AND LICENSORS WILL NOT BE LIABLE TO YOU FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES (INCLUDING
DAMAGES FOR LOSS OF PROFITS, REVENUES, CUSTOMERS, OPPORTUNITIES, GOODWILL, USE,
OR DATA), EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
FURTHER, NEITHER WE NOR ANY OF OUR AFFILIATES OR LICENSORS WILL BE RESPONSIBLE
FOR ANY COMPENSATION, REIMBURSEMENT, OR DAMAGES ARISING IN CONNECTION WITH: (A)
YOUR INABILITY TO U [...]
-12. Modifications to the Agreement.
+Depending on the backend, it can also provide locking. The docs say
+this:
-We may modify this Agreement (including any Policies) at any time by posting a
revised version on the AWS Site or by otherwise notifying you in accordance
with Section 13.10; provided, however, that we will provide at least 90 days’
advance notice in accordance with Section 13.10 for adverse changes to any
Service Level Agreement. Subject to the 90 day advance notice requirement with
respect to adverse changes to Service Level Agreements, the modified terms will
become effective upon pos [...]
-13. Miscellaneous.
+https://www.terraform.io/docs/state/locking.html
+"If supported by your backend, Terraform will lock your state for all
+operations that could write state. This prevents others from acquiring
+the lock and potentially corrupting your state."
-13.1 Assignment. You will not assign or otherwise transfer this Agreement or
any of your rights and obligations under this Agreement, without our prior
written consent. Any assignment or transfer in violation of this Section 13.1
will be void. We may assign this Agreement without your consent (a) in
connection with a merger, acquisition or sale of all or substantially all of
our assets, or (b) to any Affiliate or as part of a corporate reorganization;
and effective upon such assignment, [...]
+Presumably, this also means that the locking will prevent two people
+from mutating resources (e.g., IAM group membership) at the same time.
-13.2 Entire Agreement. This Agreement incorporates the Policies by reference
and is the entire agreement between you and us regarding the subject matter of
this Agreement. This Agreement supersedes all prior or contemporaneous
representations, understandings, agreements, or communications between you and
us, whether written or verbal, regarding the subject matter of this Agreement
(but does not supersede prior commitments to purchase Services such as Amazon
EC2 Reserved Instances). We wi [...]
+We use the S3 backend:
-13.3 Force Majeure. We and our affiliates will not be liable for any delay or
failure to perform any obligation under this Agreement where the delay or
failure results from any cause beyond our reasonable control, including acts of
God, labor disputes or other industrial disturbances, electrical or power
outages, utilities or other telecommunications failures, earthquake, storms or
other elements of nature, blockages, embargoes, riots, acts or orders of
government, acts of terrorism, or war.
+https://www.terraform.io/docs/backends/types/s3.html
-13.4 Governing Law. The Governing Laws, without reference to conflict of law
rules, govern this Agreement and any dispute of any sort that might arise
between you and us. The United Nations Convention for the International Sale of
Goods does not apply to this Agreement.
+For details on how it's configured, see main.tf.
-13.5 Disputes. Any dispute or claim relating in any way to your use of the
Service Offerings, or to any products or services sold or distributed by AWS
will be adjudicated in the Governing Courts, and you consent to exclusive
jurisdiction and venue in the Governing Courts; except, if the applicable AWS
Contracting Party is Amazon Web Services, Inc., any such dispute will be
resolved by binding arbitration as provided in this Section 13.5, rather than
in court, except that you may assert [...]
+S3 is an appropriate storage location since using it in this way is
+not SaaSS (it's only storing and publishing data), and we don't
+already have an installation of something else that can do the job
+(e.g., Consul). To support locking, we also use DynamoDB, which again
+is not SaaSS in this case (it's only storing and publishing data).
-13.6 Trade Compliance. In connection with this Agreement, each party will
comply with all applicable import, re-import, sanctions, anti-boycott, export,
and re-export control laws and regulations, including all such laws and
regulations that apply to a U.S. company, such as the Export Administration
Regulations, the International Traffic in Arms Regulations, and economic
sanctions programs implemented by the Office of Foreign Assets Control. For
clarity, you are solely responsible for co [...]
+** How to import keys without all the signatures
-13.7 Independent Contractors; Non-Exclusive Rights. We and you are independent
contractors, and this Agreement will not be construed to create a partnership,
joint venture, agency, or employment relationship. Neither party, nor any of
their respective affiliates, is an agent of the other for any purpose or has
the authority to bind the other. Both parties reserve the right (a) to develop
or have developed for it products, services, concepts, systems, or techniques
that are similar to or [...]
+The file terraform/variables.tf contains some PGP public keys. Those
+keys are often very large, due to signatures. This section describes
+how to strip the signatures, which are not necessary when using the
+keys with Terraform.
-13.8 Language. All communications and notices made or given pursuant to this
Agreement must be in the English language. If we provide a translation of the
English language version of this Agreement, the English language version of the
Agreement will control if there is any conflict.
+In most cases, a person's public PGP key has many signatures. These
+aren't necessary for encrypting the AWS Access Key and password
+mentioned above. All we need is the public key, not the signatures.
+The presence of the signatures makes the variables.tf file very large.
+We can prune down the exported public key for someone by doing this,
+for example for someone named "marusich":
-13.9 Confidentiality and Publicity. You may use AWS Confidential Information
only in connection with your use of the Service Offerings as permitted under
this Agreement. You will not disclose AWS Confidential Information during the
Term or at any time during the 5-year period following the end of the Term. You
will take all reasonable measures to avoid disclosure, dissemination or
unauthorized use of AWS Confidential Information, including, at a minimum,
those measures you take to protec [...]
+Use this function:
-13.10 Notice.
+#+BEGIN_EXAMPLE
+strip_sigs() {
+ local owner="$1"
+ local temphome="$(mktemp -d)"
+ gpg --export "$owner" | GNUPGHOME="$temphome" gpg --import
--import-options='import-clean'
+ GNUPGHOME="$temphome" gpg --export "$owner" | base64
+}
+#+END_EXAMPLE
-(a) To You. We may provide any notice to you under this Agreement by: (i)
posting a notice on the AWS Site; or (ii) sending a message to the email
address then associated with your account. Notices we provide by posting on the
AWS Site will be effective upon posting and notices we provide by email will be
effective when we send the email. It is your responsibility to keep your email
address current. You will be deemed to have received any email sent to the
email address then associated w [...]
+Use it like this:
-(b) To Us. To give us notice under this Agreement, you must contact AWS by
facsimile transmission or personal delivery, overnight courier or registered or
certified mail to the facsimile number or mailing address, as applicable,
listed for the applicable AWS Contracting Party in Section 14 below. We may
update the facsimile number or address for notices to us by posting a notice on
the AWS Site. Notices provided by personal delivery will be effective
immediately. Notices provided by facs [...]
+#+BEGIN_EXAMPLE
+strip_sigs address@hidden
+#+END_EXAMPLE
-13.11 No Third-Party Beneficiaries. Except as set forth in Section 9, this
Agreement does not create any third-party beneficiary rights in any individual
or entity that is not a party to this Agreement.
+You can then copy the output into a new entry in the variables.tf
+file. It will be significantly smaller than if we hadn't cleaned up
+all the signatures.
-13.12 U.S. Government Rights. The Service Offerings are provided to the U.S.
Government as “commercial items,” “commercial computer software,” “commercial
computer software documentation,” and “technical data” with the same rights and
restrictions generally applicable to the Service Offerings. If you are using
the Service Offerings on behalf of the U.S. Government and these terms fail to
meet the U.S. Government’s needs or are inconsistent in any respect with
federal law, you will immedi [...]
+** Initial Set-Up
-13.13 No Waivers. The failure by us to enforce any provision of this Agreement
will not constitute a present or future waiver of such provision nor limit our
right to enforce such provision at a later time. All waivers by us must be in
writing to be effective.
+This section describes how the AWS account was initially set up - all
+the steps that had to be done outside of Terraform to set it up in the
+first place. You only need to read it if you're interested in
+reproducing that work, or if you're just curious.
-13.14 Severability. If any portion of this Agreement is held to be invalid or
unenforceable, the remaining portions of this Agreement will remain in full
force and effect. Any invalid or unenforceable portions will be interpreted to
effect and intent of the original portion. If such construction is not
possible, the invalid or unenforceable portion will be severed from this
Agreement but the rest of the Agreement will remain in full force and effect.
-14. Definitions.
+*** Software Environment
-“Acceptable Use Policy” means the policy located at http://aws.amazon.com/aup
(and any successor or related locations designated by us), as it may be updated
by us from time to time.
+The following software versions were used, on a GuixSD system:
-“Account Country” is the country associated with your account. If you have
provided a valid tax registration number for your account, then your Account
Country is the country associated with your tax registration. If you have not
provided a valid tax registration, then your Account Country is the country
where your billing address is located, except if your credit card account is
issued in a different country and your contact address is also in that country,
then your Account Country is [...]
+Guix: f5d4c46c2c0ccd62f5c5b44a486af4511d395f8f
+(Also known as "v0.16.0-177-gf5d4c46c2" by "git describe")
-“Account Information” means information about you that you provide to us in
connection with the creation or administration of your AWS account. For
example, Account Information includes names, usernames, phone numbers, email
addresses and billing information associated with your AWS account.
+IceCat: 60.3.0-gnu1
(/gnu/store/4p6nn4sbv1qw196wp55v5sgbhd4cpams-icecat-60.3.0-gnu1)
-“API” means an application program interface.
+IceCat plugins installed:
-“AWS Confidential Information” means all nonpublic information disclosed by
us, our affiliates, business partners or our or their respective employees,
contractors or agents that is designated as confidential or that, given the
nature of the information or circumstances surrounding its disclosure,
reasonably should be understood to be confidential. AWS Confidential
Information includes: (a) nonpublic information relating to our or our
affiliates or business partners’ technology, customer [...]
+- HTTPS Everywhere 2018.10.31
+- NoScript 10.2.1
+- Privacy Badger 2018.10.3.1
+- GNU LibreJS 7.18.1
-“AWS Content” means Content we or any of our affiliates make available in
connection with the Services or on the AWS Site to allow access to and use of
the Services, including APIs; WSDLs; Documentation; sample code; software
libraries; command line tools; proofs of concept; templates; and other related
technology (including any of the foregoing that are provided by our personnel).
AWS Content does not include the Services or Third-Party Content.
+IceCat plugins explicitly disabled for the purpose of interacting with
+the AWS website, which breaks when they are enabled:
-"AWS Contracting Party" means the party identified in the table below, based
on your Account Country. If you change your Account Country to one identified
to a different AWS Contracting Party below, you agree that this Agreement is
then assigned to the new AWS Contracting Party under Section 13.1 without any
further action required by either party.
+- NoScript
+- GNU LibreJS
-Account Country
-
+Keepass XC: 2.3.4
-AWS Contracting Party
-
+Some possibly relevant IceCat about:config details:
-Facsimile
-
+network.http.referer.spoofSource;false
+privacy.resistFingerprinting;false
-Mailing Address
+Terraform version (not managed by Guix): v0.11.11
+Terraform AWS Provider version (not managed by Guix): 1.54.0
-Any country within Europe, the Middle East, or Africa ("EMEA")*
+*** Create an AWS Account
-
-
+Website: https://aws.amazon.com/
-Amazon Web Services EMEA SARL
-
+Click on the "Sign Up" button.
-352 2789 0057
- 38 Avenue John F. Kennedy, L-1855, Luxembourg
+Store the credentials in KeePass.
-Any other country that is not in EMEA
-
+The website doesn't work when NoScript and LibreJS are enabled. There
+might be a way to selectively enable a minimal set of scripts to allow
+the website to do its job, but I don't know what that set is.
+Instead, I temporarily disabled NoScript and LibreJS for this website
+so that I could get this portion of the job done.
-Amazon Web Services, Inc.
-
+Click the box next to the sentence: "Check here to indicate that you
+have read and agree to the terms of the AWS Customer Agreement" - the
+link goes here:
-206-266-7010
- 410 Terry Avenue North,
-Seattle, WA 98109-5210
-U.S.A.
+https://aws.amazon.com/agreement/
-*See https://aws.amazon.com/legal/aws-emea-countries for a full list of EMEA
countries.
+A telephone number is required to complete the default sign-up
+process. It may be possible to sign up without a phone, but I did not
+try that. AWS displays a number on the website, an automated system
+calls the phone number you provide, you enter the displayed number,
+and then the process is complete.
-“AWS Marks” means any trademarks, service marks, service or trade names,
logos, and other designations of AWS and its affiliates that we may make
available to you in connection with this Agreement.
+**** Free Tier
-“AWS Site” means http://aws.amazon.com (and any successor or related site
designated by us), as may be updated by us from time to time.
-“Content” means software (including machine images), data, text, audio, video
or images.
+For first 12 months (from 2018-12-26), this AWS account will have
+access to the "free tier", which gives discounts on some services:
-“Documentation” means the user guides and admin guides (in each case exclusive
of content referenced via hyperlink) for the Services located at
http://aws.amazon.com/documentation (and any successor or related locations
designated by us), as such user guides and admin guides may be updated by AWS
from time to time.
+https://aws.amazon.com/free/
-“End User” means any individual or entity that directly or indirectly through
another user: (a) accesses or uses Your Content; or (b) otherwise accesses or
uses the Service Offerings under your account. The term “End User” does not
include individuals or entities when they are accessing or using the Services
or any Content under their own AWS account, rather than under your account.
+Notable parts:
-"Governing Laws" and “Governing Courts” mean, for each AWS Contracting Party,
the laws and courts set forth in the following table:
+#+BEGIN_QUOTE
+Data Transfer
-AWS Contracting Party
-
+ 15 GB of data transfer out and 1GB of regional data transfer aggregated
across all AWS services*
-Governing Laws
-
+Amazon CloudFront
-Governing Courts
+ 50 GB Data Transfer Out, 2,000,000 HTTP and HTTPS Requests of Amazon
CloudFront*
+#+END_QUOTE
-Amazon Web Services EMEA SARL
-
+**** User Agreement
-The laws of the Grand Duchy of Luxembourg
-
+Here is a copy of the above agreement in full as it appeared on
+2018-12-26:
-The courts of the district of Luxembourg City
+#+BEGIN_QUOTE
+*If your address is in India, please review the AISPL Customer Agreement,
which governs your access to and use of the Service Offerings.
-Amazon Web Services, Inc.
-
+*Please note that as of July 1, 2018, customers located in Europe, the Middle
East, or Africa contract with our European based AWS Contracting Party, as
provided in Section 14. See the AWS Europe FAQ for more information.
+AWS Customer Agreement
+Last Updated: November 1, 2018
+See What's Changed
-The laws of the State of Washington
-
+This AWS Customer Agreement (this “Agreement”) contains the terms and
conditions that govern your access to and use of the Service Offerings (as
defined below) and is an agreement between the applicable AWS Contracting Party
specified in Section 14 below (also referred to as “AWS,” “we,” “us,” or “our”)
and you or the entity you represent (“you” or “your”). This Agreement takes
effect when you click an “I Accept” button or check box presented with these
terms or, if earlier, when you use [...]
+1. Use of the Service Offerings.
-The state or Federal courts in King County, Washington
+1.1 Generally. You may access and use the Service Offerings in accordance with
this Agreement. Service Level Agreements and Service Terms apply to certain
Service Offerings. You will comply with the terms of this Agreement and all
laws, rules and regulations applicable to your use of the Service Offerings.
-“Indirect Taxes” means applicable taxes and duties, including, without
limitation, VAT, Service Tax, GST, excise taxes, sales and transactions taxes,
and gross receipts tax.
+1.2 Your Account. To access the Services, you must have an AWS account
associated with a valid email address and a valid form of payment. Unless
explicitly permitted by the Service Terms, you will only create one account per
email address.
-“Losses” means any claims, damages, losses, liabilities, costs, and expenses
(including reasonable attorneys’ fees).
+1.3 Third-Party Content. Third-Party Content may be used by you at your
election. Third-Party Content is governed by this Agreement and, if applicable,
separate terms and conditions accompanying such Third-Party Content, which
terms and conditions may include separate fees and charges.
+2. Changes.
-“Policies” means the Acceptable Use Policy, Privacy Policy, the Site Terms,
the Service Terms, the Trademark Use Guidelines, all restrictions described in
the AWS Content and on the AWS Site, and any other policy or terms referenced
in or incorporated into this Agreement, but does not include whitepapers or
other marketing materials referenced on the AWS Site.
+2.1 To the Service Offerings. We may change or discontinue any or all of the
Service Offerings or change or remove functionality of any or all of the
Service Offerings from time to time. We will notify you of any material change
to or discontinuation of the Service Offerings.
-“Privacy Policy” means the privacy policy located at
http://aws.amazon.com/privacy (and any successor or related locations
designated by us), as it may be updated by us from time to time.
+2.2 To the APIs. We may change or discontinue any APIs for the Services from
time to time. For any discontinuation of or material change to an API for a
Service, we will use commercially reasonable efforts to continue supporting the
previous version of such API for 12 months after the change or discontinuation
(except if doing so (a) would pose a security or intellectual property issue,
(b) is economically or technically burdensome, or (c) would cause us to violate
the law or requests of [...]
-“Service” means each of the services made available by us or our affiliates,
including those web services described in the Service Terms. Services do not
include Third-Party Content.
+2.3 To the Service Level Agreements. We may change, discontinue or add Service
Level Agreements from time to time in accordance with Section 12.
+3. Security and Data Privacy.
-“Service Attributes” means Service usage data related to your account, such as
resource identifiers, metadata tags, security and access roles, rules, usage
policies, permissions, usage statistics and analytics.
+3.1 AWS Security. Without limiting Section 10 or your obligations under
Section 4.2, we will implement reasonable and appropriate measures designed to
help you secure Your Content against accidental or unlawful loss, access or
disclosure.
-“Service Level Agreement” means all service level agreements that we offer
with respect to the Services and post on the AWS Site, as they may be updated
by us from time to time. The service level agreements we offer with respect to
the Services are located at
https://aws.amazon.com/legal/service-level-agreements/ (and any successor or
related locations designated by AWS), as may be updated by AWS from time to
time.
+3.2 Data Privacy. You may specify the AWS regions in which Your Content will
be stored. You consent to the storage of Your Content in, and transfer of Your
Content into, the AWS regions you select. We will not access or use Your
Content except as necessary to maintain or provide the Service Offerings, or as
necessary to comply with the law or a binding order of a governmental body. We
will not (a) disclose Your Content to any government or third party or (b)
subject to Section 3.3, move [...]
-“Service Offerings” means the Services (including associated APIs), the AWS
Content, the AWS Marks, and any other product or service provided by us under
this Agreement. Service Offerings do not include Third-Party Content.
+3.3 Service Attributes. To provide billing and administration services, we may
process Service Attributes in the AWS region(s) where you use the Service
Offerings and the AWS regions in the United States. To provide you with support
services initiated by you and investigate fraud, abuse or violations of this
Agreement, we may process Service Attributes where we maintain our support and
investigation personnel.
+4. Your Responsibilities.
-“Service Terms” means the rights and restrictions for particular Services
located at http://aws.amazon.com/serviceterms (and any successor or related
locations designated by us), as may be updated by us from time to time.
+4.1 Your Accounts. Except to the extent caused by our breach of this
Agreement, (a) you are responsible for all activities that occur under your
account, regardless of whether the activities are authorized by you or
undertaken by you, your employees or a third party (including your contractors,
agents or End Users), and (b) we and our affiliates are not responsible for
unauthorized access to your account.
-“Site Terms” means the terms of use located at http://aws.amazon.com/terms/
(and any successor or related locations designated by us), as may be updated by
us from time to time.
+4.2 Your Content. You will ensure that Your Content and your and End Users’
use of Your Content or the Service Offerings will not violate any of the
Policies or any applicable law. You are solely responsible for the development,
content, operation, maintenance, and use of Your Content.
-“Suggestions” means all suggested improvements to the Service Offerings that
you provide to us.
+4.3 Your Security and Backup. You are responsible for properly configuring and
using the Service Offerings and otherwise taking appropriate action to secure,
protect and backup your accounts and Your Content in a manner that will provide
appropriate security and protection, which might include use of encryption to
protect Your Content from unauthorized access and routinely archiving Your
Content.
-“Term” means the term of this Agreement described in Section 7.1.
+4.4 Log-In Credentials and Account Keys. AWS log-in credentials and private
keys generated by the Services are for your internal use only and you will not
sell, transfer or sublicense them to any other entity or person, except that
you may disclose your private key to your agents and subcontractors performing
work on your behalf.
-“Termination Date” means the effective date of termination provided in
accordance with Section 7, in a notice from one party to the other.
+4.5 End Users. You will be deemed to have taken any action that you permit,
assist or facilitate any person or entity to take related to this Agreement,
Your Content or use of the Service Offerings. You are responsible for End
Users’ use of Your Content and the Service Offerings. You will ensure that all
End Users comply with your obligations under this Agreement and that the terms
of your agreement with each End User are consistent with this Agreement. If you
become aware of any violati [...]
+5. Fees and Payment.
-“Third-Party Content” means Content made available to you by any third party
on the AWS Site or in conjunction with the Services.
+5.1 Service Fees. We calculate and bill fees and charges monthly. We may bill
you more frequently for fees accrued if we suspect that your account is
fraudulent or at risk of non-payment. You will pay us the applicable fees and
charges for use of the Service Offerings as described on the AWS Site using one
of the payment methods we support. All amounts payable by you under this
Agreement will be paid to us without setoff or counterclaim, and without any
deduction or withholding. Fees and [...]
-“Trademark Use Guidelines” means the guidelines and trademark license located
at http://aws.amazon.com/trademark-guidelines/ (and any successor or related
locations designated by us), as they may be updated by us from time to time.
+5.2 Taxes. Each party will be responsible, as required under applicable law,
for identifying and paying all taxes and other governmental fees and charges
(and any penalties, interest, and other additions thereto) that are imposed on
that party upon or with respect to the transactions and payments under this
Agreement. All fees payable by you are exclusive of Indirect Taxes. We may
charge and you will pay applicable Indirect Taxes that we are legally obligated
or authorized to collect fro [...]
+6. Temporary Suspension.
-“Your Content” means Content that you or any End User transfers to us for
processing, storage or hosting by the Services in connection with your AWS
account and any computational results that you or any End User derive from the
foregoing through their use of the Services. For example, Your Content includes
Content that you or any End User stores in Amazon Simple Storage Service. Your
Content does not include Account Information.
+6.1 Generally. We may suspend your or any End User’s right to access or use
any portion or all of the Service Offerings immediately upon notice to you if
we determine:
-#+END_QUOTE
+(a) your or an End User’s use of the Service Offerings (i) poses a security
risk to the Service Offerings or any third party, (ii) could adversely impact
our systems, the Service Offerings or the systems or Content of any other AWS
customer, (iii) could subject us, our affiliates, or any third party to
liability, or (iv) could be fraudulent;
-A telephone number is required to complete the default sign-up
-process. It may be possible to sign up without a phone, but I did not
-try that. AWS displays a number on the website, an automated system
-calls the phone number you provide, you enter the displayed number,
-and then the process is complete.
+(b) you are, or any End User is, in breach of this Agreement;
-First things first. To escape the need to run JavaScript in the AWS
-Management Console, let's create the bare minimum IAM resources
-required to get started without the AWS Management console. We'll
-create the following:
+(c) you are in breach of your payment obligations under Section 5; or
-User: marusich (a user with an API key)
-Group: Administrators (a group with full access to everything in the account)
+(d) you have ceased to operate in the ordinary course, made an assignment for
the benefit of creditors or similar disposition of your assets, or become the
subject of any bankruptcy, reorganization, liquidation, dissolution or similar
proceeding.
-* Free Tier
-For first 12 months (from 2018-12-26), this AWS account will have
-access to the "free tier", which gives discounts on some services:
+6.2 Effect of Suspension. If we suspend your right to access or use any
portion or all of the Service Offerings:
-https://aws.amazon.com/free/
+(a) you remain responsible for all fees and charges you incur during the
period of suspension; and
-Notable parts:
+(b) you will not be entitled to any service credits under the Service Level
Agreements for any period of suspension.
+7. Term; Termination.
-#+BEGIN_QUOTE
-Data Transfer
+7.1 Term. The term of this Agreement will commence on the Effective Date and
will remain in effect until terminated under this Section 7. Any notice of
termination of this Agreement by either party to the other must include a
Termination Date that complies with the notice periods in Section 7.2.
- 15 GB of data transfer out and 1GB of regional data transfer aggregated
across all AWS services*
+7.2 Termination.
-Amazon CloudFront
+(a) Termination for Convenience. You may terminate this Agreement for any
reason by providing us notice and closing your account for all Services for
which we provide an account closing mechanism. We may terminate this Agreement
for any reason by providing you at least 30 days’ advance notice.
- 50 GB Data Transfer Out, 2,000,000 HTTP and HTTPS Requests of Amazon
CloudFront*
-#+END_QUOTE
+(b) Termination for Cause.
-* Privacy Policy
-AWS has a privacy policy:
+(i) By Either Party. Either party may terminate this Agreement for cause if
the other party is in material breach of this Agreement and the material breach
remains uncured for a period of 30 days from receipt of notice by the other
party. No later than the Termination Date, you will close your account.
-https://aws.amazon.com/privacy/
+(ii) By Us. We may also terminate this Agreement immediately upon notice to
you (A) for cause if we have the right to suspend under Section 6, (B) if our
relationship with a third-party partner who provides software or other
technology we use to provide the Service Offerings expires, terminates or
requires us to change the way we provide the software or other technology as
part of the Services, or (C) in order to comply with the law or requests of
governmental entities.
-Here is the contents, as of 2018-12-26:
+7.3 Effect of Termination.
-#+BEGIN_QUOTE
- Privacy Notice
-Last Updated: November 1, 2018
+(a) Generally. Upon the Termination Date:
-This Privacy Notice describes how we collect and use your personal information
in relation to AWS websites, applications, products, services, events, and
experiences that reference this Privacy Notice (together, “AWS Offerings”).
+(i) except as provided in Section 7.3(b), all your rights under this Agreement
immediately terminate;
-This Privacy Notice does not apply to the “content” processed, stored, or
hosted by our customers using AWS Offerings in connection with an AWS account.
See the agreement governing your access to your AWS account and the AWS Data
Privacy FAQ for more information about how we handle content and how our
customers can control their content through AWS Offerings. This Privacy Notice
also does not apply to any products, services, websites, or content that are
offered by third parties or have [...]
+(ii) you remain responsible for all fees and charges you have incurred through
the Termination Date and are responsible for any fees and charges you incur
during the post-termination period described in Section 7.3(b);
- Personal Information We Collect
- How We Use Personal Information
- Cookies
- How We Share Personal Information
- Location of Personal Information
- How We Secure Information
- Internet Advertising and Third Parties
- Access and Choice
- Children’s Personal Information
- Retention of Personal Information
- Contacts, Notices, and Revisions
- EU-US and Swiss-US Privacy Shield
- Additional Information for Certain Jurisdictions
- Examples of Information Collected
+(iii) you will immediately return or, if instructed by us, destroy all AWS
Content in your possession; and
-Personal Information We Collect
+(iv) Sections 4.1, 5, 7.3, 8 (except the license granted to you in Section
8.3), 9, 10, 11, 13 and 14 will continue to apply in accordance with their
terms.
-We collect your personal information in the course of providing AWS Offerings
to you.
+(b) Post-Termination. Unless we terminate your use of the Service Offerings
pursuant to Section 7.2(b), during the 30 days following the Termination Date:
-Here are the types of information we gather:
+(i) we will not take action to remove from the AWS systems any of Your Content
as a result of the termination; and
- Information You Give Us: We collect any information you provide in
relation to AWS Offerings. Click here to see examples of information you give
us.
- Automatic Information: We automatically collect certain types of
information when you interact with AWS Offerings. Click here to see examples of
information we collect automatically.
- Information from Other Sources: We might collect information about you
from other sources, including service providers, partners, and publicly
available sources. Click here to see examples of information we collect from
other sources.
+(ii) we will allow you to retrieve Your Content from the Services only if you
have paid all amounts due under this Agreement.
-How We Use Personal Information
+For any use of the Services after the Termination Date, the terms of this
Agreement will apply and you will pay the applicable fees at the rates under
Section 5.
+8. Proprietary Rights.
-We use your personal information to operate, provide, and improve AWS
Offerings. Our purposes for using personal information include:
+8.1 Your Content. Except as provided in this Section 8, we obtain no rights
under this Agreement from you (or your licensors) to Your Content. You consent
to our use of Your Content to provide the Service Offerings to you and any End
Users.
- Provide AWS Offerings: We use your personal information to provide and
deliver AWS Offerings and process transactions related to AWS Offerings,
including registrations, subscriptions, purchases, and payments.
- Measure, Support, and Improve AWS Offerings: We use your personal
information to measure use of, analyze performance of, fix errors in, provide
support for, improve, and develop AWS Offerings.
- Recommendations and Personalization: We use your personal information to
recommend AWS Offerings that might be of interest to you, identify your
preferences, and personalize your experience with AWS Offerings.
- Comply with Legal Obligations: In certain cases, we have a legal
obligation to collect, use, or retain your personal information. For example,
we collect bank account information from AWS Marketplace sellers for identity
verification.
- Communicate with You: We use your personal information to communicate with
you in relation to AWS Offerings via different channels (e.g., by phone, email,
chat) and to respond to your requests.
- Marketing: We use your personal information to market and promote AWS
Offerings. We might display interest-based ads for AWS Offerings. To learn
more, please read our Interest-Based Ads notice.
- Fraud and Abuse Prevention and Credit Risks: We use your personal
information to prevent and detect fraud and abuse in order to protect the
security of our customers, AWS, and others. We may also use scoring methods to
assess and manage credit risks.
- Purposes for Which We Seek Your Consent: We may also ask for your consent
to use your personal information for a specific purpose that we communicate to
you.
+8.2 Adequate Rights. You represent and warrant to us that: (a) you or your
licensors own all right, title, and interest in and to Your Content and
Suggestions; (b) you have all rights in Your Content and Suggestions necessary
to grant the rights contemplated by this Agreement; and (c) none of Your
Content or End Users’ use of Your Content or the Service Offerings will violate
the Acceptable Use Policy.
-Cookies
+8.3 Service Offerings License. We or our licensors own all right, title, and
interest in and to the Service Offerings, and all related technology and
intellectual property rights. Subject to the terms of this Agreement, we grant
you a limited, revocable, non-exclusive, non-sublicensable, non-transferrable
license to do the following: (a) access and use the Services solely in
accordance with this Agreement; and (b) copy and use the AWS Content solely in
connection with your permitted use [...]
-To enable our systems to recognize your browser or device and to provide AWS
Offerings to you, we use cookies. For more information about cookies and how we
use them, please read our Cookies Notice.
-How We Share Personal Information
+8.4 License Restrictions. Neither you nor any End User will use the Service
Offerings in any manner or for any purpose other than as expressly permitted by
this Agreement. Neither you nor any End User will, or will attempt to (a)
modify, distribute, alter, tamper with, repair, or otherwise create derivative
works of any Content included in the Service Offerings (except to the extent
Content included in the Service Offerings is provided to you under a separate
license that expressly permi [...]
-Information about our customers is an important part of our business and we
are not in the business of selling our customers’ personal information to
others. We share personal information only as described below and with
Amazon.com, Inc. and the subsidiaries that Amazon.com, Inc. controls that are
either subject to this Privacy Notice or follow practices at least as
protective as those described in this Privacy Notice.
+8.5 Suggestions. If you provide any Suggestions to us or our affiliates, we
and our affiliates will be entitled to use the Suggestions without restriction.
You hereby irrevocably assign to us all right, title, and interest in and to
the Suggestions and agree to provide us any assistance we require to document,
perfect, and maintain our rights in the Suggestions.
+9. Indemnification.
- Transactions Involving Third Parties: We make available to you services,
software, and content provided by third parties for use on or through AWS
Offerings. You can tell when a third party is involved in your transactions,
and we share information related to those transactions with that third party.
For example, you can order services, software, and content from sellers using
the AWS Marketplace and we provide those sellers information to facilitate your
subscription, purchases, or [...]
- Third-Party Service Providers: We employ other companies and individuals
to perform functions on our behalf. Examples include: delivering AWS hardware,
sending communications, processing payments, assessing credit and compliance
risks, analyzing data, providing marketing and sales assistance (including
advertising and event management), conducting customer relationship management,
and providing training. These third party service providers have access to
personal information needed t [...]
- Business Transfers: As we continue to develop our business, we might sell
or buy businesses or services. In such transactions, personal information
generally is one of the transferred business assets but remains subject to the
promises made in any pre-existing Privacy Notice (unless, of course, the
individual consents otherwise). Also, in the unlikely event that AWS or
substantially all of its assets are acquired, your information will of course
be one of the transferred assets.
- Protection of Us and Others: We release account and other personal
information when we believe release is appropriate to comply with the law,
enforce or apply our terms and other agreements, or protect the rights,
property, or security of AWS, our customers, or others. This includes
exchanging information with other companies and organizations for fraud
prevention and detection and credit risk reduction.
- At Your Option: Other than as set out above, you will receive notice when
personal information about you might be shared with third parties, and you will
have an opportunity to choose not to share the information.
+9.1 General. You will defend, indemnify, and hold harmless us, our affiliates
and licensors, and each of their respective employees, officers, directors, and
representatives from and against any Losses arising out of or relating to any
third-party claim concerning: (a) your or any End Users’ use of the Service
Offerings (including any activities under your AWS account and use by your
employees and personnel); (b) breach of this Agreement or violation of
applicable law by you, End Users o [...]
-Location of Personal Information
+9.2 Intellectual Property.
-Amazon Web Services, Inc. is located in the United States, and our affiliated
companies are located throughout the world. Depending on the scope of your
interactions with AWS Offerings, your personal information may be stored in or
accessed from multiple countries, including the United States. Whenever we
transfer personal information to other jurisdictions, we will ensure that the
information is transferred in accordance with this Privacy Notice and as
permitted by applicable data prote [...]
-How We Secure Information
+(a) Subject to the limitations in this Section 9, AWS will defend you and your
employees, officers, and directors against any third-party claim alleging that
the Services infringe or misappropriate that third party’s intellectual
property rights, and will pay the amount of any adverse final judgment or
settlement.
-At AWS, security is our highest priority. We design our systems with your
security and privacy in mind.
+(b) Subject to the limitations in this Section 9, you will defend AWS, its
affiliates, and their respective employees, officers, and directors against any
third-party claim alleging that any of Your Content infringes or
misappropriates that third party’s intellectual property rights, and will pay
the amount of any adverse final judgment or settlement.
- We maintain a wide variety of compliance programs that validate our
security controls. Click here to learn more about our compliance programs.
- We protect the security of your information during transmission to or from
AWS websites, applications, products, or services by using encryption protocols
and software.
- We follow the Payment Card Industry Data Security Standard (PCI DSS) when
handling credit card data.
- We maintain physical, electronic, and procedural safeguards in connection
with the collection, storage, and disclosure of personal information. Our
security procedures mean that we may request proof of identity before we
disclose personal information to you.
+(c) Neither party will have obligations or liability under this Section 9.2
arising from infringement by combinations of the Services or Your Content, as
applicable, with any other product, service, software, data, content or method.
In addition, AWS will have no obligations or liability arising from your or any
End User’s use of the Services after AWS has notified you to discontinue such
use. The remedies provided in this Section 9.2 are the sole and exclusive
remedies for any third-par [...]
-Internet Advertising and Third Parties
+(d) For any claim covered by Section 9.2(a), AWS will, at its election,
either: (i) procure the rights to use that portion of the Services alleged to
be infringing; (ii) replace the alleged infringing portion of the Services with
a non-infringing alternative; (iii) modify the alleged infringing portion of
the Services to make it non-infringing; or (iv) terminate the allegedly
infringing portion of the Services or this Agreement.
-AWS Offerings may include third-party advertising and links to other websites
and applications. Third party advertising partners may collect information
about you when you interact with their content, advertising, or services. For
more information about third-party advertising, including interest-based ads,
please read our Interest-Based Ads notice.
-Access and Choice
+9.3 Process. The obligations under this Section 9 will apply only if the party
seeking defense or indemnity: (a) gives the other party prompt written notice
of the claim; (b) permits the other party to control the defense and settlement
of the claim; and (c) reasonably cooperates with the other party (at the other
party’s expense) in the defense and settlement of the claim. In no event will a
party agree to any settlement of any claim that involves any commitment, other
than the payment [...]
+10. Disclaimers.
-You can view, update, and delete certain information about your account and
your interactions with AWS Offerings. Click here for a list of examples of
information that you can access. If you cannot access or update your
information yourself, you can always contact us for assistance.
+THE SERVICE OFFERINGS ARE PROVIDED “AS IS.” EXCEPT TO THE EXTENT PROHIBITED BY
LAW, OR TO THE EXTENT ANY STATUTORY RIGHTS APPLY THAT CANNOT BE EXCLUDED,
LIMITED OR WAIVED, WE AND OUR AFFILIATES AND LICENSORS (A) MAKE NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY
OR OTHERWISE REGARDING THE SERVICE OFFERINGS OR THE THIRD-PARTY CONTENT, AND
(B) DISCLAIM ALL WARRANTIES, INCLUDING ANY IMPLIED OR EXPRESS WARRANTIES (I) OF
MERCHANTABILITY, SATISFACTORY QUALIT [...]
+11. Limitations of Liability.
-You have choices about the collection and use of your personal information.
Many AWS Offerings include settings that provide you with options as to how
your information is being used. You can choose not to provide certain
information, but then you might not be able to take advantage of certain AWS
Offerings.
+WE AND OUR AFFILIATES AND LICENSORS WILL NOT BE LIABLE TO YOU FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES (INCLUDING
DAMAGES FOR LOSS OF PROFITS, REVENUES, CUSTOMERS, OPPORTUNITIES, GOODWILL, USE,
OR DATA), EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
FURTHER, NEITHER WE NOR ANY OF OUR AFFILIATES OR LICENSORS WILL BE RESPONSIBLE
FOR ANY COMPENSATION, REIMBURSEMENT, OR DAMAGES ARISING IN CONNECTION WITH: (A)
YOUR INABILITY TO U [...]
+12. Modifications to the Agreement.
- Account Information: If you want to add, update, or delete information
related to your account, please go to the AWS Management Console. When you
update or delete any information, we usually keep a copy of the prior version
for our records.
- Communications: If you do not want to receive promotional messages from
us, please unsubscribe or adjust your communication preferences in the AWS
Management Console or the AWS Email Preference Center. If you do not want to
receive in-app notifications from us, please adjust your notification settings
in the app or your device.
- Advertising: If you don’t want to see interest-based ads, please adjust
your Advertising Preferences.
- Browser and Devices: The Help feature on most browsers and devices will
tell you how to prevent your browser or device from accepting new cookies, how
to have the browser notify you when you receive a new cookie, or how to disable
cookies altogether.
- Sellers and Amazon Partners: Sellers and Amazon Partner Network members
can add, update, or delete information in the AWS Marketplace and APN Partner
Central, respectively.
+We may modify this Agreement (including any Policies) at any time by posting a
revised version on the AWS Site or by otherwise notifying you in accordance
with Section 13.10; provided, however, that we will provide at least 90 days’
advance notice in accordance with Section 13.10 for adverse changes to any
Service Level Agreement. Subject to the 90 day advance notice requirement with
respect to adverse changes to Service Level Agreements, the modified terms will
become effective upon pos [...]
+13. Miscellaneous.
-Children’s Personal Information
+13.1 Assignment. You will not assign or otherwise transfer this Agreement or
any of your rights and obligations under this Agreement, without our prior
written consent. Any assignment or transfer in violation of this Section 13.1
will be void. We may assign this Agreement without your consent (a) in
connection with a merger, acquisition or sale of all or substantially all of
our assets, or (b) to any Affiliate or as part of a corporate reorganization;
and effective upon such assignment, [...]
-We don’t provide AWS Offerings for purchase by children. If you’re under 18,
you may use AWS Offerings only with the involvement of a parent or guardian.
-Retention of Personal Information
+13.2 Entire Agreement. This Agreement incorporates the Policies by reference
and is the entire agreement between you and us regarding the subject matter of
this Agreement. This Agreement supersedes all prior or contemporaneous
representations, understandings, agreements, or communications between you and
us, whether written or verbal, regarding the subject matter of this Agreement
(but does not supersede prior commitments to purchase Services such as Amazon
EC2 Reserved Instances). We wi [...]
-We keep your personal information to enable your continued use of AWS
Offerings, for as long as it is required in order to fulfill the relevant
purposes described in this Privacy Notice, as may be required by law (including
for tax and accounting purposes), or as otherwise communicated to you. How long
we retain specific personal information varies depending on the purpose for its
use, and we will delete your personal information in accordance with applicable
law.
-Contacts, Notices, and Revisions
+13.3 Force Majeure. We and our affiliates will not be liable for any delay or
failure to perform any obligation under this Agreement where the delay or
failure results from any cause beyond our reasonable control, including acts of
God, labor disputes or other industrial disturbances, electrical or power
outages, utilities or other telecommunications failures, earthquake, storms or
other elements of nature, blockages, embargoes, riots, acts or orders of
government, acts of terrorism, or war.
-If you have any concern about privacy at AWS or want to contact one of our
data controllers, please contact us with a thorough description, and we will
try to resolve it. You may also contact us at the addresses below:
+13.4 Governing Law. The Governing Laws, without reference to conflict of law
rules, govern this Agreement and any dispute of any sort that might arise
between you and us. The United Nations Convention for the International Sale of
Goods does not apply to this Agreement.
- For any prospective or current customers of Amazon Web Services, Inc., our
mailing address is: Amazon Web Services, Inc., 410 Terry Avenue North, Seattle,
WA 98109-5210, ATTN: AWS Legal
- For any prospective or current customers of Amazon Web Services EMEA SARL,
our mailing address is: Amazon Web Services EMEA SARL, 38 Avenue John F.
Kennedy, L-1855, Luxembourg, ATTN: AWS EMEA Legal
- For any prospective or current customers of Amazon Internet Services
Private Limited, our mailing address is: Amazon Internet Services Private
Limited, Ground Floor, Eros Corporate Towers, Nehru Place, New Delhi, 110 019,
India, ATTN: AISPL Legal
+13.5 Disputes. Any dispute or claim relating in any way to your use of the
Service Offerings, or to any products or services sold or distributed by AWS
will be adjudicated in the Governing Courts, and you consent to exclusive
jurisdiction and venue in the Governing Courts; except, if the applicable AWS
Contracting Party is Amazon Web Services, Inc., any such dispute will be
resolved by binding arbitration as provided in this Section 13.5, rather than
in court, except that you may assert [...]
-If you interact with AWS Offerings on behalf of or through your organization,
then your personal information may also be subject to your organization’s
privacy practices, and you should direct privacy inquiries to your organization.
+13.6 Trade Compliance. In connection with this Agreement, each party will
comply with all applicable import, re-import, sanctions, anti-boycott, export,
and re-export control laws and regulations, including all such laws and
regulations that apply to a U.S. company, such as the Export Administration
Regulations, the International Traffic in Arms Regulations, and economic
sanctions programs implemented by the Office of Foreign Assets Control. For
clarity, you are solely responsible for co [...]
-Our business changes constantly, and our Privacy Notice may also change. You
should check our website frequently to see recent changes. You can see the date
on which the latest version of this Privacy Notice was posted. Unless stated
otherwise, our current Privacy Notice applies to all personal information we
have about you and your account. We stand behind the promises we make, however,
and will never materially change our policies and practices to make them less
protective of personal [...]
-EU-US and Swiss-US Privacy Shield
+13.7 Independent Contractors; Non-Exclusive Rights. We and you are independent
contractors, and this Agreement will not be construed to create a partnership,
joint venture, agency, or employment relationship. Neither party, nor any of
their respective affiliates, is an agent of the other for any purpose or has
the authority to bind the other. Both parties reserve the right (a) to develop
or have developed for it products, services, concepts, systems, or techniques
that are similar to or [...]
-Amazon Web Services, Inc. participates in the EU-US and Swiss-US Privacy
Shield frameworks. Click here to learn more.
-Additional Information for Certain Jurisdictions
+13.8 Language. All communications and notices made or given pursuant to this
Agreement must be in the English language. If we provide a translation of the
English language version of this Agreement, the English language version of the
Agreement will control if there is any conflict.
-We provide additional information about the privacy, collection, and use of
personal information of prospective and current customers of AWS Offerings
located in certain jurisdictions.
+13.9 Confidentiality and Publicity. You may use AWS Confidential Information
only in connection with your use of the Service Offerings as permitted under
this Agreement. You will not disclose AWS Confidential Information during the
Term or at any time during the 5-year period following the end of the Term. You
will take all reasonable measures to avoid disclosure, dissemination or
unauthorized use of AWS Confidential Information, including, at a minimum,
those measures you take to protec [...]
-For any prospective or current customers of AWS Offerings in Canada:
+13.10 Notice.
-Your Rights. Subject to applicable law, you have the right to:
+(a) To You. We may provide any notice to you under this Agreement by: (i)
posting a notice on the AWS Site; or (ii) sending a message to the email
address then associated with your account. Notices we provide by posting on the
AWS Site will be effective upon posting and notices we provide by email will be
effective when we send the email. It is your responsibility to keep your email
address current. You will be deemed to have received any email sent to the
email address then associated w [...]
- ask whether we hold personal information about you and request copies of
such personal information and information about how it is processed;
- request that inaccurate personal information is corrected;
- request deletion of personal information that is no longer necessary for
the purposes underlying the processing, processed based on withdrawn consent,
or processed in non-compliance with applicable legal requirements; and
- lodge a complaint with us regarding our practices related to your personal
information.
+(b) To Us. To give us notice under this Agreement, you must contact AWS by
facsimile transmission or personal delivery, overnight courier or registered or
certified mail to the facsimile number or mailing address, as applicable,
listed for the applicable AWS Contracting Party in Section 14 below. We may
update the facsimile number or address for notices to us by posting a notice on
the AWS Site. Notices provided by personal delivery will be effective
immediately. Notices provided by facs [...]
-You can exercise your rights of access, rectification, erasure, restriction,
or complaint by contacting us. If you wish to do any of these things and you
are an AWS customer, please contact us. If you are not an AWS customer, please
contact us at the address stated under Notice and Revisions above.
+13.11 No Third-Party Beneficiaries. Except as set forth in Section 9, this
Agreement does not create any third-party beneficiary rights in any individual
or entity that is not a party to this Agreement.
-For any prospective or current customers of AWS Offerings in the European
Economic Area (EEA):
+13.12 U.S. Government Rights. The Service Offerings are provided to the U.S.
Government as “commercial items,” “commercial computer software,” “commercial
computer software documentation,” and “technical data” with the same rights and
restrictions generally applicable to the Service Offerings. If you are using
the Service Offerings on behalf of the U.S. Government and these terms fail to
meet the U.S. Government’s needs or are inconsistent in any respect with
federal law, you will immedi [...]
-Controller of Personal Information. Amazon Web Services EMEA SARL, 5 rue
Plaetis, L-2338 Luxembourg, is the data controller of personal information
collected or processed through AWS Offerings. Amazon Web Services EMEA SARL, is
the authorized representative of Amazon Web Services, Inc. in the EEA.
+13.13 No Waivers. The failure by us to enforce any provision of this Agreement
will not constitute a present or future waiver of such provision nor limit our
right to enforce such provision at a later time. All waivers by us must be in
writing to be effective.
-Processing. We process your personal information on one or more of the
following legal bases:
+13.14 Severability. If any portion of this Agreement is held to be invalid or
unenforceable, the remaining portions of this Agreement will remain in full
force and effect. Any invalid or unenforceable portions will be interpreted to
effect and intent of the original portion. If such construction is not
possible, the invalid or unenforceable portion will be severed from this
Agreement but the rest of the Agreement will remain in full force and effect.
+14. Definitions.
- as necessary to enter into a contract with you or a legal entity you
represent, to perform our contractual obligations, to provide AWS Offerings, to
respond to requests from you, or to provide customer support;
- where we have a legitimate interest, as described in this Privacy Notice
(see How We Use Personal Information above);
- as necessary to comply with relevant law and legal obligations, including
to
- respond to lawful requests and orders; or
- with your consent.
+“Acceptable Use Policy” means the policy located at http://aws.amazon.com/aup
(and any successor or related locations designated by us), as it may be updated
by us from time to time.
-Your Rights. Subject to applicable law, you have the right to:
+“Account Country” is the country associated with your account. If you have
provided a valid tax registration number for your account, then your Account
Country is the country associated with your tax registration. If you have not
provided a valid tax registration, then your Account Country is the country
where your billing address is located, except if your credit card account is
issued in a different country and your contact address is also in that country,
then your Account Country is [...]
- ask whether we hold personal information about you and request copies of
such personal information and information about how it is processed;
- request that inaccurate personal information is corrected;
- request deletion of personal information that is no longer necessary for
the purposes underlying the processing, processed based on withdrawn consent,
or processed in non-compliance with applicable legal requirements;
- request us to restrict the processing of personal information where the
processing is inappropriate;
- object to the processing of personal data;
- request portability of personal information that you have provided to us
(which does not include information derived from the collected information),
where the processing of such personal information is based on consent or a
contract with you and is carried out by automated means; and
- lodge a complaint with our principal supervisory authority, the Commission
Nationale pour la Protection des Données in Luxembourg www.cnpd.lu, or with a
local authority.
+“Account Information” means information about you that you provide to us in
connection with the creation or administration of your AWS account. For
example, Account Information includes names, usernames, phone numbers, email
addresses and billing information associated with your AWS account.
-You can exercise your rights of access, rectification, erasure, restriction,
objection, and data portability by contacting us. If you wish to do any of
these things and you are an AWS customer, please contact us. If you are not an
AWS customer, please contact us at the address under Notice and Revisions above.
+“API” means an application program interface.
-When you consent to our processing your personal information for a specified
purpose, you may withdraw your consent at any time, and we will stop any
further processing of your data for that purpose.
+“AWS Confidential Information” means all nonpublic information disclosed by
us, our affiliates, business partners or our or their respective employees,
contractors or agents that is designated as confidential or that, given the
nature of the information or circumstances surrounding its disclosure,
reasonably should be understood to be confidential. AWS Confidential
Information includes: (a) nonpublic information relating to our or our
affiliates or business partners’ technology, customer [...]
-Cookies. Please refer to our Cookies Notice.
+“AWS Content” means Content we or any of our affiliates make available in
connection with the Services or on the AWS Site to allow access to and use of
the Services, including APIs; WSDLs; Documentation; sample code; software
libraries; command line tools; proofs of concept; templates; and other related
technology (including any of the foregoing that are provided by our personnel).
AWS Content does not include the Services or Third-Party Content.
-Transfers outside of the EEA. When we transfer your personal information
outside the EEA we do so in accordance with the terms of this Privacy Notice
and applicable data protection law. This may include the transfer of data in
accordance with the EU-US and Swiss-US Privacy Shield frameworks (for transfers
to the US) or pursuant to data transfer agreements that incorporate the
Standard Contractual Clauses approved by the EU Commission.
+"AWS Contracting Party" means the party identified in the table below, based
on your Account Country. If you change your Account Country to one identified
to a different AWS Contracting Party below, you agree that this Agreement is
then assigned to the new AWS Contracting Party under Section 13.1 without any
further action required by either party.
-For any prospective or current customers of AWS Offerings in Japan:
+Account Country
+
-Any personal information provided to or gathered by Amazon Web Services Japan
K.K. is controlled primarily by Amazon Web Services Japan K.K. Any personal
information collected by Amazon Web Services, Inc. is controlled primarily by
Amazon Web Services, Inc. We use information in accordance with this Privacy
Notice jointly with our domestic and foreign subsidiaries of Amazon.com, Inc.,
including Amazon Web Services, Inc., Amazon Web Services Japan K.K., Amazon Web
Services EMEA SARL, and [...]
+AWS Contracting Party
+
- For any prospective or current customers of AWS Offerings in South Korea:
+Facsimile
+
- AWS has contracts in place with the following third party service
provider(s) to perform functions on behalf of AWS in Korea, and they may have
access to your personal information as needed to perform their functions
described below:
+Mailing Address
- Name of Party
-
+Any country within Europe, the Middle East, or Africa ("EMEA")*
- Description of Function
+
+
- Marketo
-
+Amazon Web Services EMEA SARL
+
- Customer communications
+352 2789 0057
+ 38 Avenue John F. Kennedy, L-1855, Luxembourg
- Salesforce
-
+Any other country that is not in EMEA
+
- Customer relationship management
+Amazon Web Services, Inc.
+
- PaymentTech
-
+206-266-7010
+ 410 Terry Avenue North,
+Seattle, WA 98109-5210
+U.S.A.
- Payment instrument processing
+*See https://aws.amazon.com/legal/aws-emea-countries for a full list of EMEA
countries.
- When deleting personal information, AWS will take standard commercially
reasonable measures to make the personal information practically irrecoverable
or irreproducible. The specific manner of deletion will depend on the
information being deleted, how the information was collected and stored, and
your interactions with us. Electronic documents or files containing personal
information will be deleted using a technical method that makes recovery or
retrieval of such information practic [...]
+“AWS Marks” means any trademarks, service marks, service or trade names,
logos, and other designations of AWS and its affiliates that we may make
available to you in connection with this Agreement.
- If you have any privacy questions or requests please contact:
+“AWS Site” means http://aws.amazon.com (and any successor or related site
designated by us), as may be updated by us from time to time.
+“Content” means software (including machine images), data, text, audio, video
or images.
- AWS Korea Privacy
- Email: address@hidden
+“Documentation” means the user guides and admin guides (in each case exclusive
of content referenced via hyperlink) for the Services located at
http://aws.amazon.com/documentation (and any successor or related locations
designated by us), as such user guides and admin guides may be updated by AWS
from time to time.
-Examples of Information Collected
-Information You Give Us
+“End User” means any individual or entity that directly or indirectly through
another user: (a) accesses or uses Your Content; or (b) otherwise accesses or
uses the Service Offerings under your account. The term “End User” does not
include individuals or entities when they are accessing or using the Services
or any Content under their own AWS account, rather than under your account.
-You provide information to us when you:
+"Governing Laws" and “Governing Courts” mean, for each AWS Contracting Party,
the laws and courts set forth in the following table:
- search for, subscribe to, or purchase AWS Offerings;
- create or administer your AWS account (and you might have more than one
account if you have used more than one email address when using AWS Offerings);
- configure your settings for, provide data access permissions for, or
otherwise interact with AWS Offerings;
- register for or attend an AWS event;
- purchase or use content, products, or services from third-party providers
through the AWS Marketplace (or other similar venues operated or provided by
us);
- offer your content, products, or services on or through AWS Offerings or
the AWS Marketplace (or other similar venues operated or provided by us);
- communicate with us by phone, email, or otherwise;
- complete a questionnaire, a support ticket, or other information request
forms;
- post on AWS websites or participate in community features; and
- employ notification services.
+AWS Contracting Party
+
-Depending on your use of AWS Offerings, you might supply us with such
information as:
+Governing Laws
+
- your name, email address, physical address, phone number, and other
similar contact information;
- payment information, including credit card and bank account information;
- information about your location;
- information about your organization and your contacts, such as colleagues
or people within your organization;
- usernames, aliases, roles, and other authentication and security
credential information;
- content of feedback, testimonials, inquiries, support tickets, and any
phone conversations, chat sessions and emails with or to us;
- your image (still, video, and in some cases 3-D), voice, and other
identifiers that are personal to you when you attend an AWS event or use
certain AWS Offerings;
- information regarding identity, including government-issued identification
information;
- corporate and financial information; and
- VAT numbers and other tax identifiers.
+Governing Courts
-Automatic Information
+Amazon Web Services EMEA SARL
+
-We collect information automatically when you:
+The laws of the Grand Duchy of Luxembourg
+
- visit, interact with, or use AWS Offerings (including when you use your
computer or other device to interact with AWS Offerings);
- download content from us;
- open emails or click on links in emails from us; and
- interact or communicate with us (such as when you attend an AWS event or
when you request customer support).
+The courts of the district of Luxembourg City
-Examples of the information we automatically collect include:
+Amazon Web Services, Inc.
+
- network and connection information, such as the Internet protocol (IP)
address used to connect your computer or other device to the Internet and
information about your Internet service provider;
- computer and device information, such as device, application, or browser
type and version, browser plug-in type and version, operating system, or time
zone setting;
- the location of your device or computer;
- authentication and security credential information;
- content interaction information, such as content downloads, streams, and
playback details, including duration and number of simultaneous streams and
downloads;
- AWS Offerings metrics, such as offering usage, occurrences of technical
errors, diagnostic reports, your settings preferences, backup information, API
calls, and other logs;
- the full Uniform Resource Locators (URL) clickstream to, through, and from
our website (including date and time) and AWS Offerings, content you viewed or
searched for, page response times, download errors, and page interaction
information (such as scrolling, clicks, and mouse-overs);
- email addresses and phone numbers used to contact us; and
- identifiers and information contained in cookies (see our Cookies Notice).
+The laws of the State of Washington
+
-Information from Other Sources
+The state or Federal courts in King County, Washington
-Examples of information we receive from other sources include:
+“Indirect Taxes” means applicable taxes and duties, including, without
limitation, VAT, Service Tax, GST, excise taxes, sales and transactions taxes,
and gross receipts tax.
- marketing, sales generation, and recruitment information, including your
name, email address, physical address, phone number, and other similar contact
information;
- subscription, purchase, support, or other information about your
interactions with products and services offered by us, our affiliates (such as
AWS training courses), or third parties (such as products offered through the
AWS Marketplace) in relation to AWS Offerings;
- search results and links, including paid listings (such as Sponsored
Links); and
- credit history information from credit bureaus.
+“Losses” means any claims, damages, losses, liabilities, costs, and expenses
(including reasonable attorneys’ fees).
-Information You Can Access
+“Policies” means the Acceptable Use Policy, Privacy Policy, the Site Terms,
the Service Terms, the Trademark Use Guidelines, all restrictions described in
the AWS Content and on the AWS Site, and any other policy or terms referenced
in or incorporated into this Agreement, but does not include whitepapers or
other marketing materials referenced on the AWS Site.
-Examples of information you can access through AWS Offerings include:
+“Privacy Policy” means the privacy policy located at
http://aws.amazon.com/privacy (and any successor or related locations
designated by us), as it may be updated by us from time to time.
- your name, email address, physical address, phone number, and other
similar contact information;
- usernames, aliases, roles, and other authentication and security
credential information;
- your subscription, purchase, usage, billing, and payment history;
- payment settings, such as payment instrument information and billing
preferences;
- tax information;
- email communication and notification settings; and
- if you participate in the AWS Marketplace or Amazon Partner Network (or
other similar venues operated or provided by us), your account, your status,
subscriptions, and other information.
+“Service” means each of the services made available by us or our affiliates,
including those web services described in the Service Terms. Services do not
include Third-Party Content.
-Customers can access the information above through AWS Offerings, such as the
AWS Management Console (including the My Account, Billing Dashboard, Bills,
Payment Methods, Payment History, Preferences and Tax Settings pages), the AWS
Email Preference Center, AWS Marketplace, and APN Partner Central.
+“Service Attributes” means Service usage data related to your account, such as
resource identifiers, metadata tags, security and access roles, rules, usage
policies, permissions, usage statistics and analytics.
-#+END_QUOTE
+“Service Level Agreement” means all service level agreements that we offer
with respect to the Services and post on the AWS Site, as they may be updated
by us from time to time. The service level agreements we offer with respect to
the Services are located at
https://aws.amazon.com/legal/service-level-agreements/ (and any successor or
related locations designated by AWS), as may be updated by AWS from time to
time.
-* Initial manual bootstrap
-Create a user named safe-to-delete-admin and attach an IAM policy to
-it that lets it do anything. We'll delete this in a little bit.
+“Service Offerings” means the Services (including associated APIs), the AWS
Content, the AWS Marks, and any other product or service provided by us under
this Agreement. Service Offerings do not include Third-Party Content.
-Put the credentials in ~/.aws/credentials, like this: You must set up
-an AWS Credentials file a profile of the same name (i.e., "guix").
-For example, put this in your ~/.aws/credentials:
+“Service Terms” means the rights and restrictions for particular Services
located at http://aws.amazon.com/serviceterms (and any successor or related
locations designated by us), as may be updated by us from time to time.
-#+BEGIN_EXAMPLE
-[guix]
-aws_access_key_id=ACCESS_KEY_ID
-aws_secret_access_key=SECRET_ACCESS_KEY
-#+END_EXAMPLE
+“Site Terms” means the terms of use located at http://aws.amazon.com/terms/
(and any successor or related locations designated by us), as may be updated by
us from time to time.
-See:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
+“Suggestions” means all suggested improvements to the Service Offerings that
you provide to us.
-That documentation AWS CLI documentation, but the same ideas apply
-generally to other AWS SDKs and tools.
+“Term” means the term of this Agreement described in Section 7.1.
-Now, run "terraform init" in the directory containing the file
-"main.tf", and Terraform will download the AWS provider if you don't
-already have it.
+“Termination Date” means the effective date of termination provided in
accordance with Section 7, in a notice from one party to the other.
-Then run "terraform plan", and you should see something like this
-(note that originally, we hard-coded the "profile" in the main.tf
-file, so this command worked at that time):
+“Third-Party Content” means Content made available to you by any third party
on the AWS Site or in conjunction with the Services.
-#+BEGIN_EXAMPLE
-[0] address@hidden:~/maintenance/cdn/terraform
-$ AWS_DEFAULT_REGION=us-east-1 ~/Downloads/terraform plan
-Refreshing Terraform state in-memory prior to plan...
-The refreshed state will be used to calculate this plan, but will not be
-persisted to local or remote state storage.
-
-
-------------------------------------------------------------------------
-
-An execution plan has been generated and is shown below.
-Resource actions are indicated with the following symbols:
- + create
-
-Terraform will perform the following actions:
-
- + aws_iam_access_key.marusich-access-key-1
- id: <computed>
- encrypted_secret: <computed>
- key_fingerprint: <computed>
- pgp_key:
"mQINBFbG5HgBEADaV9vv/cNeWZ4QFubNU1o34aZ/l9oQI4b8/FNKgTt2MWgqNEPMM041EGZZNfbg\nD+RiQy5jHsa/73znXuvji/px8XI2PrTNBJQcZjVJxUlj/gvGoE/UPgUePV2abOetaV5Y/Op5KUGE\nmFL8NJuR7MLbg00J9DVQKH7gv45wWqx2+F8YYSG9aK+MqEea32cfyvtrKwH47aMIQP8xg6pKuSNZ\ns24Hc1x4JqSkbI/HfIja2No+ELIRLcSIhn1h3dn5DqjVVn80xTJJXlBCMe3x7EF5YPi8C5Nq35YY\ni/MBV1o/Pi0ZgKhqXhMBr580e+QdZw2SFfoXsbdVcrkhzy5bPmd/pKltvT4QfcCaGMgNLhZ8/4VR\n8r59l2dHV5OfeldzEy2vwi16gfmdcS4C9f2II5/B8oHnosvlXgWfCt4n0Y4hJJ6dHEHGegRD59vG
[...]
- secret: <computed>
- ses_smtp_password: <computed>
- status: <computed>
- user: "marusich"
-
- + aws_iam_group.administrators
- id: <computed>
- arn: <computed>
- name: "administrators"
- path: "/"
- unique_id: <computed>
-
- + aws_iam_group_membership.administrators-membership
- id: <computed>
- group: "administrators"
- name: "administrators-membership"
- users.#: "1"
- users.1205911796: "marusich"
-
- + aws_iam_group_policy_attachment.administrators-policy-attachment
- id: <computed>
- group: "administrators"
- policy_arn: "arn:aws:iam::aws:policy/AdministratorAccess"
-
- + aws_iam_user.marusich
- id: <computed>
- arn: <computed>
- force_destroy: "false"
- name: "marusich"
- path: "/"
- unique_id: <computed>
-
-
-Plan: 5 to add, 0 to change, 0 to destroy.
-
-------------------------------------------------------------------------
-
-Note: You didn't specify an "-out" parameter to save this plan, so Terraform
-can't guarantee that exactly these actions will be performed if
-"terraform apply" is subsequently run.
-
-[0] address@hidden:~/maintenance/cdn/terraform
-$
+“Trademark Use Guidelines” means the guidelines and trademark license located
at http://aws.amazon.com/trademark-guidelines/ (and any successor or related
locations designated by us), as they may be updated by us from time to time.
-#+END_EXAMPLE
+“Your Content” means Content that you or any End User transfers to us for
processing, storage or hosting by the Services in connection with your AWS
account and any computational results that you or any End User derive from the
foregoing through their use of the Services. For example, Your Content includes
Content that you or any End User stores in Amazon Simple Storage Service. Your
Content does not include Account Information.
+#+END_QUOTE
-Note: you have to specify AWS_DEFAULT_REGION or Terraform will ask you
-to enter a region manually, due to this bug:
-https://github.com/terraform-providers/terraform-provider-aws/issues/1767
+**** Privacy Policy
-Cool. Let's try creating it by running "terraform apply".
+AWS also has a privacy policy, which it mentions when you sign up for
+an account:
-It worked, hooray! Now we can update ~/.aws/configuration with the
-newly created access key (you have to decrypt its secret part from the
-output using GnuPG) and then delete the safe-to-delete-admin user
-manually (without using Terraform). After that, we can control nearly
-all aspects of the AWS account and its resources via IAM users.
+https://aws.amazon.com/privacy/
-** Enable IAM users to view billing information
+Here is the contents, as of 2018-12-26:
-Some activities cannot be done by an IAM user, even an administrator,
-without taking some manual steps first to allow it. Read more here:
+#+BEGIN_QUOTE
+ Privacy Notice
+Last Updated: November 1, 2018
-https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
+This Privacy Notice describes how we collect and use your personal information
in relation to AWS websites, applications, products, services, events, and
experiences that reference this Privacy Notice (together, “AWS Offerings”).
-These tasks must be performed by the so-called "root user". The "root
-user" is a term that AWS uses to refer to, essentially, the entity
-that owns and has truly full control over all aspects of the account.
-It is not an IAM user.
+This Privacy Notice does not apply to the “content” processed, stored, or
hosted by our customers using AWS Offerings in connection with an AWS account.
See the agreement governing your access to your AWS account and the AWS Data
Privacy FAQ for more information about how we handle content and how our
customers can control their content through AWS Offerings. This Privacy Notice
also does not apply to any products, services, websites, or content that are
offered by third parties or have [...]
-One of these activities is viewing billing info, which is useful.
-Let's let IAM users do that:
+ Personal Information We Collect
+ How We Use Personal Information
+ Cookies
+ How We Share Personal Information
+ Location of Personal Information
+ How We Secure Information
+ Internet Advertising and Third Parties
+ Access and Choice
+ Children’s Personal Information
+ Retention of Personal Information
+ Contacts, Notices, and Revisions
+ EU-US and Swiss-US Privacy Shield
+ Additional Information for Certain Jurisdictions
+ Examples of Information Collected
-https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/grantaccess.html#ControllingAccessWebsite-Activate
+Personal Information We Collect
-Once that's done, all administrators can now also view the billing
-information. In addition, it is now possible to define new IAM
-policies to grant the specific permission to view the billing
-information (but not anything else). For example, we could create a
-group called "accountants" that contains users who need access to view
-billing information (but nothing else).
+We collect your personal information in the course of providing AWS Offerings
to you.
-** Get invoice as PDF via email
-To further reduce the need to run JavaScript just to view your
-invoice, follow these instructions to have the invoice mailed to you
-as a PDF file:
+Here are the types of information we gather:
-https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/emailed-invoice.html
+ Information You Give Us: We collect any information you provide in
relation to AWS Offerings. Click here to see examples of information you give
us.
+ Automatic Information: We automatically collect certain types of
information when you interact with AWS Offerings. Click here to see examples of
information we collect automatically.
+ Information from Other Sources: We might collect information about you
from other sources, including service providers, partners, and publicly
available sources. Click here to see examples of information we collect from
other sources.
-I have done this for our account. It seems this cannot be configured
-using Terraform or any existing AWS API.
-** Enable cost explorer
-This is Cost Explorer:
-https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/ce-what-is.html
+How We Use Personal Information
-To ensure I have the ability to drill into the costs we might incur,
-I've enabled this for now. It isn't possible to enable it (yet) with
-Terraform configuration.
+We use your personal information to operate, provide, and improve AWS
Offerings. Our purposes for using personal information include:
-Enabling it adds no additional cost to our bill, even if we choose to
-use the Cost Explorer tool in the AWS Management Console. However, if
-we choose to use the Cost Explorer APIs, those do cost extra.
-** Enable "Receive billing alerts"
-It is necessary to enable "receive billing alerts" in order to create
-alarms on billing-related metrics. I've manually enabled this for our
-account. It isn't possible (yet?) to configure this in Terraform
-configuration. For details, see:
+ Provide AWS Offerings: We use your personal information to provide and
deliver AWS Offerings and process transactions related to AWS Offerings,
including registrations, subscriptions, purchases, and payments.
+ Measure, Support, and Improve AWS Offerings: We use your personal
information to measure use of, analyze performance of, fix errors in, provide
support for, improve, and develop AWS Offerings.
+ Recommendations and Personalization: We use your personal information to
recommend AWS Offerings that might be of interest to you, identify your
preferences, and personalize your experience with AWS Offerings.
+ Comply with Legal Obligations: In certain cases, we have a legal
obligation to collect, use, or retain your personal information. For example,
we collect bank account information from AWS Marketplace sellers for identity
verification.
+ Communicate with You: We use your personal information to communicate with
you in relation to AWS Offerings via different channels (e.g., by phone, email,
chat) and to respond to your requests.
+ Marketing: We use your personal information to market and promote AWS
Offerings. We might display interest-based ads for AWS Offerings. To learn
more, please read our Interest-Based Ads notice.
+ Fraud and Abuse Prevention and Credit Risks: We use your personal
information to prevent and detect fraud and abuse in order to protect the
security of our customers, AWS, and others. We may also use scoring methods to
assess and manage credit risks.
+ Purposes for Which We Seek Your Consent: We may also ask for your consent
to use your personal information for a specific purpose that we communicate to
you.
-https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/monitor_estimated_charges_with_cloudwatch.html
-* Configuration strucure
-There can be multiple files (*.tf, *.tfvars), or just one file. Name
-doesn't matter, as long as it ends in .tf or .tfvars. We could
-probably move our "variables.tf" into some kind of "variables.tfvars"
-file, but I haven't thought very much about the structure beyond that.
-It works, so that's good for now.
+Cookies
-Configuration files can contain things like this:
+To enable our systems to recognize your browser or device and to provide AWS
Offerings to you, we use cookies. For more information about cookies and how we
use them, please read our Cookies Notice.
+How We Share Personal Information
-- provider(s)
-- resource(s)
-- module(s)
-- variable(s)
-- output(s)
+Information about our customers is an important part of our business and we
are not in the business of selling our customers’ personal information to
others. We share personal information only as described below and with
Amazon.com, Inc. and the subsidiaries that Amazon.com, Inc. controls that are
either subject to this Privacy Notice or follow practices at least as
protective as those described in this Privacy Notice.
-For now, we have a file called "main.tf" that describes all the
-Terraform-managed resources, and another file named "variables.tf"
-that contains variables that are referenced by resources in "main.tf".
+ Transactions Involving Third Parties: We make available to you services,
software, and content provided by third parties for use on or through AWS
Offerings. You can tell when a third party is involved in your transactions,
and we share information related to those transactions with that third party.
For example, you can order services, software, and content from sellers using
the AWS Marketplace and we provide those sellers information to facilitate your
subscription, purchases, or [...]
+ Third-Party Service Providers: We employ other companies and individuals
to perform functions on our behalf. Examples include: delivering AWS hardware,
sending communications, processing payments, assessing credit and compliance
risks, analyzing data, providing marketing and sales assistance (including
advertising and event management), conducting customer relationship management,
and providing training. These third party service providers have access to
personal information needed t [...]
+ Business Transfers: As we continue to develop our business, we might sell
or buy businesses or services. In such transactions, personal information
generally is one of the transferred business assets but remains subject to the
promises made in any pre-existing Privacy Notice (unless, of course, the
individual consents otherwise). Also, in the unlikely event that AWS or
substantially all of its assets are acquired, your information will of course
be one of the transferred assets.
+ Protection of Us and Others: We release account and other personal
information when we believe release is appropriate to comply with the law,
enforce or apply our terms and other agreements, or protect the rights,
property, or security of AWS, our customers, or others. This includes
exchanging information with other companies and organizations for fraud
prevention and detection and credit risk reduction.
+ At Your Option: Other than as set out above, you will receive notice when
personal information about you might be shared with third parties, and you will
have an opportunity to choose not to share the information.
-See:
-https://learn.hashicorp.com/terraform/getting-started/variables
-"Note: that the file can be named anything, since Terraform loads all
-files ending in .tf in a directory. "
-* Terraform-specific Problems
-** Downloads prebuilt binaries
-https://learn.hashicorp.com/terraform/getting-started/build
-By default, "terraform init" downloads and installs "plugin" binaries.
-It would be better if they were packaged individually in Guix.
+Location of Personal Information
-** Needs to keep track of some state
-https://learn.hashicorp.com/terraform/getting-started/build
+Amazon Web Services, Inc. is located in the United States, and our affiliated
companies are located throughout the world. Depending on the scope of your
interactions with AWS Offerings, your personal information may be stored in or
accessed from multiple countries, including the United States. Whenever we
transfer personal information to other jurisdictions, we will ensure that the
information is transferred in accordance with this Privacy Notice and as
permitted by applicable data prote [...]
+How We Secure Information
-"Terraform also wrote some data into the terraform.tfstate file. This
-state file is extremely important; it keeps track of the IDs of
-created resources so that Terraform knows what it is managing. This
-file must be saved and distributed to anyone who might run
-Terraform. It is generally recommended to setup remote state when
-working with Terraform, to share the state automatically, but this is
-not necessary for simple situations like this Getting Started guide."
+At AWS, security is our highest priority. We design our systems with your
security and privacy in mind.
-consider using s3 backend for remote state
-https://www.terraform.io/docs/backends/
-https://www.terraform.io/docs/state/remote.html
+ We maintain a wide variety of compliance programs that validate our
security controls. Click here to learn more about our compliance programs.
+ We protect the security of your information during transmission to or from
AWS websites, applications, products, or services by using encryption protocols
and software.
+ We follow the Payment Card Industry Data Security Standard (PCI DSS) when
handling credit card data.
+ We maintain physical, electronic, and procedural safeguards in connection
with the collection, storage, and disclosure of personal information. Our
security procedures mean that we may request proof of identity before we
disclose personal information to you.
-** terraform registry
-a collection of 'modules':
-https://registry.terraform.io/
+Internet Advertising and Third Parties
-* IAM Login URL
-Log into this URL with your IAM user name and password:
+AWS Offerings may include third-party advertising and links to other websites
and applications. Third party advertising partners may collect information
about you when you interact with their content, advertising, or services. For
more information about third-party advertising, including interest-based ads,
please read our Interest-Based Ads notice.
+Access and Choice
-https://354378008360.signin.aws.amazon.com/console
+You can view, update, and delete certain information about your account and
your interactions with AWS Offerings. Click here for a list of examples of
information that you can access. If you cannot access or update your
information yourself, you can always contact us for assistance.
-Alternatively, you can use this friendlier URL:
+You have choices about the collection and use of your personal information.
Many AWS Offerings include settings that provide you with options as to how
your information is being used. You can choose not to provide certain
information, but then you might not be able to take advantage of certain AWS
Offerings.
-https://guix.signin.aws.amazon.com/console
+ Account Information: If you want to add, update, or delete information
related to your account, please go to the AWS Management Console. When you
update or delete any information, we usually keep a copy of the prior version
for our records.
+ Communications: If you do not want to receive promotional messages from
us, please unsubscribe or adjust your communication preferences in the AWS
Management Console or the AWS Email Preference Center. If you do not want to
receive in-app notifications from us, please adjust your notification settings
in the app or your device.
+ Advertising: If you don’t want to see interest-based ads, please adjust
your Advertising Preferences.
+ Browser and Devices: The Help feature on most browsers and devices will
tell you how to prevent your browser or device from accepting new cookies, how
to have the browser notify you when you receive a new cookie, or how to disable
cookies altogether.
+ Sellers and Amazon Partners: Sellers and Amazon Partner Network members
can add, update, or delete information in the AWS Marketplace and APN Partner
Central, respectively.
-* How to import keys without all the signatures
-In most cases, a person's public PGP key has many signatures. These
-aren't necessary for encrypting the AWS Access Key and password
-mentioned above. All we need is the public key, not the signatures.
-The presence of the signatures makes the variables.tf file very large.
-We can prune down the exported public key for someone by doing this,
-for example for someone named "marusich":
+Children’s Personal Information
-Use this function:
+We don’t provide AWS Offerings for purchase by children. If you’re under 18,
you may use AWS Offerings only with the involvement of a parent or guardian.
+Retention of Personal Information
-#+BEGIN_EXAMPLE
-strip_sigs() {
- local owner="$1"
- local temphome="$(mktemp -d)"
- gpg --export "$owner" | GNUPGHOME="$temphome" gpg --import
--import-options='import-clean'
- GNUPGHOME="$temphome" gpg --export "$owner" | base64
-}
-#+END_EXAMPLE
+We keep your personal information to enable your continued use of AWS
Offerings, for as long as it is required in order to fulfill the relevant
purposes described in this Privacy Notice, as may be required by law (including
for tax and accounting purposes), or as otherwise communicated to you. How long
we retain specific personal information varies depending on the purpose for its
use, and we will delete your personal information in accordance with applicable
law.
+Contacts, Notices, and Revisions
-Use it like this:
+If you have any concern about privacy at AWS or want to contact one of our
data controllers, please contact us with a thorough description, and we will
try to resolve it. You may also contact us at the addresses below:
-#+BEGIN_EXAMPLE
-strip_sigs address@hidden
-#+END_EXAMPLE
+ For any prospective or current customers of Amazon Web Services, Inc., our
mailing address is: Amazon Web Services, Inc., 410 Terry Avenue North, Seattle,
WA 98109-5210, ATTN: AWS Legal
+ For any prospective or current customers of Amazon Web Services EMEA SARL,
our mailing address is: Amazon Web Services EMEA SARL, 38 Avenue John F.
Kennedy, L-1855, Luxembourg, ATTN: AWS EMEA Legal
+ For any prospective or current customers of Amazon Internet Services
Private Limited, our mailing address is: Amazon Internet Services Private
Limited, Ground Floor, Eros Corporate Towers, Nehru Place, New Delhi, 110 019,
India, ATTN: AISPL Legal
-You can then copy the output into new entry in the variables.tf file.
-It will be significantly smaller than if we hadn't cleaned up all the
-signatures.
+If you interact with AWS Offerings on behalf of or through your organization,
then your personal information may also be subject to your organization’s
privacy practices, and you should direct privacy inquiries to your organization.
-* Next steps
+Our business changes constantly, and our Privacy Notice may also change. You
should check our website frequently to see recent changes. You can see the date
on which the latest version of this Privacy Notice was posted. Unless stated
otherwise, our current Privacy Notice applies to all personal information we
have about you and your account. We stand behind the promises we make, however,
and will never materially change our policies and practices to make them less
protective of personal [...]
+EU-US and Swiss-US Privacy Shield
-- Package Terraform
-- Package the AWS Provider plugin for Terraform
-- Simplify variable definitions by using .tfvars file?
-- Use origin failover to serve requests via the CDN from berlin first,
- and hydra second?
-
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/high_availability_origin_failover.html
+Amazon Web Services, Inc. participates in the EU-US and Swiss-US Privacy
Shield frameworks. Click here to learn more.
+Additional Information for Certain Jurisdictions
-** Setting up a budget
-I haven't actually set up a "budget". But this guide explains how to
-do so with Terraform:
-
-https://blog.kylegalbraith.com/2018/10/08/how-to-better-watch-your-aws-costs-before-you-forget/
-
-Summary: set up some CloudWatch alarms in Terraform, set up a "budget"
-in Terraform, and manually configure an alarm on the budget. Manually
-configuring the alarm on the budget is unfortunately necessary, since
-Terraform doesn't support it yet:
-
-https://github.com/terraform-providers/terraform-provider-aws/issues/4548
-
-That said, it isn't clear to me why we would need a "budget" right
-now. Having one or two alarms on estimated and actual total cost
-seems just as good, and we CAN do that in Terraform today. If we need
-to dive into the cost, there is always the invoice PDF or the AWS
-Management Console for ad-hoc investigation.
-
-* Questions
-** Guix build farm (berlin)
-
-- Does it ever return 3xx (e.g. redirects)?
-- Are there any URLs that are not returning a Cache-Control header but
- should be?
-
-- What should be cached? What should not be cached? We can apply
- different rules to different URLs according to a pattern language
- similar to shell globbing. However, if we set it up to respect the
- origin's cache-related headers when they are included in the
- response, we can configure all of this at the origin, independent of
- the CloudFront distribution. We can tell CloudFront not to cache
- anything by including "Cache-Control: no-cache, no-store, and/or
- private directives to objects", provided that we configure our
- CloudFront distribution's minimum TTL to be 0.
-- How long should it be cached? This can be set at the origin,
- independent of the CloudFront distribution.
-- Should we include "Cache-Control: max-age" or "Cache-Control:
- s-maxage" in responses we want to be cached? It seems the
- difference only matters when caching results in a web browser. For
- our use case, I don't think we need to bother using s-maxage at all.
-- Is it OK to ignore query parameters, headers, and cookies when
- deciding whether or not to cache?
+We provide additional information about the privacy, collection, and use of
personal information of prospective and current customers of AWS Offerings
located in certain jurisdictions.
-** Terraform
-- What does Terraform store in its "state"? Does it store anything
- sensitive, like secrets? Depending on the configuration, it might
- store secrets, and those secrets might be encrypted (e.g., by
- someone's PGP key) in the state file. This is independent of any
- server side encryption that might also be happening within the S3
- bucket, in the case of the S3 backend.
-* Avoiding "Service as a Software Substitute"
-Dave made an awesome Guile module for using CloudFormation:
+For any prospective or current customers of AWS Offerings in Canada:
-https://lists.gnu.org/archive/html/guix-devel/2018-12/msg00102.html
-https://gist.github.com/davexunit/db4b9d3e67902216fbdbc66cd9c6413e
+Your Rights. Subject to applicable law, you have the right to:
-We could have used Dave's module. However, Terraform...
+ ask whether we hold personal information about you and request copies of
such personal information and information about how it is processed;
+ request that inaccurate personal information is corrected;
+ request deletion of personal information that is no longer necessary for
the purposes underlying the processing, processed based on withdrawn consent,
or processed in non-compliance with applicable legal requirements; and
+ lodge a complaint with us regarding our practices related to your personal
information.
-- is mature software - it has been around for years.
-- has a vibrant ecosystem surrounding it already
-- is popular and is used by lots of people
-- avoids vendor lock-in by supporting many different providers
+You can exercise your rights of access, rectification, erasure, restriction,
or complaint by contacting us. If you wish to do any of these things and you
are an AWS customer, please contact us. If you are not an AWS customer, please
contact us at the address stated under Notice and Revisions above.
-Finally, and most importantly: Terraform is free software that you can
-run on your own computer. On the other hand, CloudFormation is
-essentially a "service as a software substitute" (SaaSS) that solves
-the same problem by offloading the work to a service. There is no
-good reason to use CloudFormation when we can use or make free
-software like Terraform to do the job for us just as well - maybe even
-better:
+For any prospective or current customers of AWS Offerings in the European
Economic Area (EEA):
-https://www.terraform.io/intro/vs/cloudformation.html
-https://www.gnu.org/philosophy/who-does-that-server-really-serve.html
+Controller of Personal Information. Amazon Web Services EMEA SARL, 5 rue
Plaetis, L-2338 Luxembourg, is the data controller of personal information
collected or processed through AWS Offerings. Amazon Web Services EMEA SARL, is
the authorized representative of Amazon Web Services, Inc. in the EEA.
-Primarily because CloudFormation is SaaSS, and secondarily because
-Terraform is mature and widely used, I chose to use Terraform.
+Processing. We process your personal information on one or more of the
following legal bases:
-But if that's the case, then why are we using CloudFront, IAM, etc.?
-Aren't those services, too? Well, yes. They are. But they are not
-SaaSS. I will try to explain why.
+ as necessary to enter into a contract with you or a legal entity you
represent, to perform our contractual obligations, to provide AWS Offerings, to
respond to requests from you, or to provide customer support;
+ where we have a legitimate interest, as described in this Privacy Notice
(see How We Use Personal Information above);
+ as necessary to comply with relevant law and legal obligations, including
to
+ respond to lawful requests and orders; or
+ with your consent.
-CloudFront is a CDN, and you cannot do what a CDN does by running a
-program on your computer. To do what a CDN does would require a huge
-investment of capital and people power to build and operate an
-international network of computers. In this way, a CDN is not SaaSS.
+Your Rights. Subject to applicable law, you have the right to:
-IAM is also a service. But again, you cannot replace what it does by
-running software on your computer. IAM is Amazon's way of knowing who
-should be allowed to do what with the Amazon web services that you
-choose to use. For example, creating an IAM group for administrators,
-and an IAM policy saying they can do anything they want, and adding an
-IAM user to that group named "Chris Marusich", is analogous to calling
-up your electric company and saying, "Please let Chris Marusich do
-whatever he needs to do with this account." They record the
-information in their own system, and then when Chris calls asking them
-to change a billing address, they do some verification and determine
-that he's allowed to do that. IAM is the same. It doesn't replace
-software that you could have run on your own computer; it's an
-integral part of using the Amazon web services, and it has no function
-outside of that. Therefore, IAM is also not SaaSS.
+ ask whether we hold personal information about you and request copies of
such personal information and information about how it is processed;
+ request that inaccurate personal information is corrected;
+ request deletion of personal information that is no longer necessary for
the purposes underlying the processing, processed based on withdrawn consent,
or processed in non-compliance with applicable legal requirements;
+ request us to restrict the processing of personal information where the
processing is inappropriate;
+ object to the processing of personal data;
+ request portability of personal information that you have provided to us
(which does not include information derived from the collected information),
where the processing of such personal information is based on consent or a
contract with you and is carried out by automated means; and
+ lodge a complaint with our principal supervisory authority, the Commission
Nationale pour la Protection des Données in Luxembourg www.cnpd.lu, or with a
local authority.
-Generally speaking, although SaaSS is bad because it takes freedom
-away from the computer user, services that are not SaaSS may be bad or
-good depending on the context. Services are different from software,
-so they must be treated differently. We shouldn't be afraid to use a
-service if (1) it isn't SaaSS and (2) it makes sense to use that
-particular service in that particular context.
+You can exercise your rights of access, rectification, erasure, restriction,
objection, and data portability by contacting us. If you wish to do any of
these things and you are an AWS customer, please contact us. If you are not an
AWS customer, please contact us at the address under Notice and Revisions above.
-* Using the AWS CLI
+When you consent to our processing your personal information for a specified
purpose, you may withdraw your consent at any time, and we will stop any
further processing of your data for that purpose.
-The AWS CLI is packaged in Guix. It's called "awscli". Here's some
-documentation:
+Cookies. Please refer to our Cookies Notice.
-https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html
-https://docs.aws.amazon.com/cli/latest/index.html
+Transfers outside of the EEA. When we transfer your personal information
outside the EEA we do so in accordance with the terms of this Privacy Notice
and applicable data protection law. This may include the transfer of data in
accordance with the EU-US and Swiss-US Privacy Shield frameworks (for transfers
to the US) or pursuant to data transfer agreements that incorporate the
Standard Contractual Clauses approved by the EU Commission.
-It understands many (perhaps all?) of the same environment variables
-that the Terraform AWS provider understands.
+For any prospective or current customers of AWS Offerings in Japan:
-Invoke it like this (customize the environment variables as needed):
+Any personal information provided to or gathered by Amazon Web Services Japan
K.K. is controlled primarily by Amazon Web Services Japan K.K. Any personal
information collected by Amazon Web Services, Inc. is controlled primarily by
Amazon Web Services, Inc. We use information in accordance with this Privacy
Notice jointly with our domestic and foreign subsidiaries of Amazon.com, Inc.,
including Amazon Web Services, Inc., Amazon Web Services Japan K.K., Amazon Web
Services EMEA SARL, and [...]
-#+BEGIN_EXAMPLE
-[0] address@hidden:~
-$ AWS_DEFAULT_REGION=us-east-1 AWS_PROFILE=guix aws iam list-users
-{
- "Users": [
- {
- "Path": "/",
- "UserName": "civodul",
- "UserId": "AIDAJXYCBKCDPUFEJVA3K",
- "Arn": "arn:aws:iam::354378008360:user/civodul",
- "CreateDate": "2018-12-27T07:37:19Z"
- },
- {
- "Path": "/",
- "UserName": "marusich",
- "UserId": "AIDAJCXVTZTTRDUOTBAL2",
- "Arn": "arn:aws:iam::354378008360:user/marusich",
- "CreateDate": "2018-12-27T07:30:53Z",
- "PasswordLastUsed": "2018-12-28T01:36:32Z"
- },
- {
- "Path": "/",
- "UserName": "rekado",
- "UserId": "AIDAIZK2BC4U6R53UVING",
- "Arn": "arn:aws:iam::354378008360:user/rekado",
- "CreateDate": "2018-12-27T07:37:19Z"
- }
- ]
-}
-[0] address@hidden:~
-$
+ For any prospective or current customers of AWS Offerings in South Korea:
-#+END_EXAMPLE
+ AWS has contracts in place with the following third party service
provider(s) to perform functions on behalf of AWS in Korea, and they may have
access to your personal information as needed to perform their functions
described below:
-** Evict objects from CloudFront's cache
-You can evict cached responses from a CloudFront distribution.
-CloudFront refers to this process as "invalidation". For details, see
-here:
+ Name of Party
+
-https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Invalidation.html
+ Description of Function
-Note that invalidation costs an additional amount of money, but it is
-negligible if you are only doing a few invalidation requests.
-Notably, "the charge to submit an invalidation path is the same
-regardless of the number of files you're invalidating" - this means
-you can invalidate everything if you want, and it will cost basically
-nothing:
+ Marketo
+
-https://aws.amazon.com/cloudfront/pricing/
+ Customer communications
-Here is an example that invalidates all cached objects for a
-distribution with ID E2LCS83UL0PPNA (change the ID and paths as
-needed):
+ Salesforce
+
+
+ Customer relationship management
+
+ PaymentTech
+
+
+ Payment instrument processing
+
+ When deleting personal information, AWS will take standard commercially
reasonable measures to make the personal information practically irrecoverable
or irreproducible. The specific manner of deletion will depend on the
information being deleted, how the information was collected and stored, and
your interactions with us. Electronic documents or files containing personal
information will be deleted using a technical method that makes recovery or
retrieval of such information practic [...]
+
+ If you have any privacy questions or requests please contact:
+
+ AWS Korea Privacy
+ Email: address@hidden
+
+Examples of Information Collected
+Information You Give Us
+
+You provide information to us when you:
+
+ search for, subscribe to, or purchase AWS Offerings;
+ create or administer your AWS account (and you might have more than one
account if you have used more than one email address when using AWS Offerings);
+ configure your settings for, provide data access permissions for, or
otherwise interact with AWS Offerings;
+ register for or attend an AWS event;
+ purchase or use content, products, or services from third-party providers
through the AWS Marketplace (or other similar venues operated or provided by
us);
+ offer your content, products, or services on or through AWS Offerings or
the AWS Marketplace (or other similar venues operated or provided by us);
+ communicate with us by phone, email, or otherwise;
+ complete a questionnaire, a support ticket, or other information request
forms;
+ post on AWS websites or participate in community features; and
+ employ notification services.
+
+Depending on your use of AWS Offerings, you might supply us with such
information as:
+
+ your name, email address, physical address, phone number, and other
similar contact information;
+ payment information, including credit card and bank account information;
+ information about your location;
+ information about your organization and your contacts, such as colleagues
or people within your organization;
+ usernames, aliases, roles, and other authentication and security
credential information;
+ content of feedback, testimonials, inquiries, support tickets, and any
phone conversations, chat sessions and emails with or to us;
+ your image (still, video, and in some cases 3-D), voice, and other
identifiers that are personal to you when you attend an AWS event or use
certain AWS Offerings;
+ information regarding identity, including government-issued identification
information;
+ corporate and financial information; and
+ VAT numbers and other tax identifiers.
+
+Automatic Information
+
+We collect information automatically when you:
+
+ visit, interact with, or use AWS Offerings (including when you use your
computer or other device to interact with AWS Offerings);
+ download content from us;
+ open emails or click on links in emails from us; and
+ interact or communicate with us (such as when you attend an AWS event or
when you request customer support).
+
+Examples of the information we automatically collect include:
+
+ network and connection information, such as the Internet protocol (IP)
address used to connect your computer or other device to the Internet and
information about your Internet service provider;
+ computer and device information, such as device, application, or browser
type and version, browser plug-in type and version, operating system, or time
zone setting;
+ the location of your device or computer;
+ authentication and security credential information;
+ content interaction information, such as content downloads, streams, and
playback details, including duration and number of simultaneous streams and
downloads;
+ AWS Offerings metrics, such as offering usage, occurrences of technical
errors, diagnostic reports, your settings preferences, backup information, API
calls, and other logs;
+ the full Uniform Resource Locators (URL) clickstream to, through, and from
our website (including date and time) and AWS Offerings, content you viewed or
searched for, page response times, download errors, and page interaction
information (such as scrolling, clicks, and mouse-overs);
+ email addresses and phone numbers used to contact us; and
+ identifiers and information contained in cookies (see our Cookies Notice).
+
+Information from Other Sources
+
+Examples of information we receive from other sources include:
+
+ marketing, sales generation, and recruitment information, including your
name, email address, physical address, phone number, and other similar contact
information;
+ subscription, purchase, support, or other information about your
interactions with products and services offered by us, our affiliates (such as
AWS training courses), or third parties (such as products offered through the
AWS Marketplace) in relation to AWS Offerings;
+ search results and links, including paid listings (such as Sponsored
Links); and
+ credit history information from credit bureaus.
+
+Information You Can Access
+
+Examples of information you can access through AWS Offerings include:
+
+ your name, email address, physical address, phone number, and other
similar contact information;
+ usernames, aliases, roles, and other authentication and security
credential information;
+ your subscription, purchase, usage, billing, and payment history;
+ payment settings, such as payment instrument information and billing
preferences;
+ tax information;
+ email communication and notification settings; and
+ if you participate in the AWS Marketplace or Amazon Partner Network (or
other similar venues operated or provided by us), your account, your status,
subscriptions, and other information.
+
+Customers can access the information above through AWS Offerings, such as the
AWS Management Console (including the My Account, Billing Dashboard, Bills,
Payment Methods, Payment History, Preferences and Tax Settings pages), the AWS
Email Preference Center, AWS Marketplace, and APN Partner Central.
+#+END_QUOTE
+
+*** Bootstrap the AWS Account Manually
+
+**** Create a temporary administrative user
+
+Create a user named safe-to-delete-admin and attach an IAM policy to
+it that lets it do anything. We'll delete this in a little bit.
+
+Put the credentials in ~/.aws/credentials, like this: You must set up
+an AWS Credentials file a profile of the same name (i.e., "guix").
+For example, put this in your ~/.aws/credentials:
#+BEGIN_EXAMPLE
-[0] address@hidden:~
-$ AWS_DEFAULT_REGION=us-east-1 AWS_PROFILE=guix aws cloudfront
create-invalidation --distribution-id E2LCS83UL0PPNA --paths '/*'
-{
- "Location":
"https://cloudfront.amazonaws.com/2017-03-25/distribution/E2LCS83UL0PPNA/invalidation/I2PCH5JZ52HUX7",
- "Invalidation": {
- "Id": "I2PCH5JZ52HUX7",
- "Status": "InProgress",
- "CreateTime": "2018-12-28T02:43:51.326Z",
- "InvalidationBatch": {
- "Paths": {
- "Quantity": 1,
- "Items": [
- "/*"
- ]
- },
- "CallerReference": "cli-1545965030-886799"
- }
- }
-}
-[0] address@hidden:~
-$
+[guix]
+aws_access_key_id=ACCESS_KEY_ID
+aws_secret_access_key=SECRET_ACCESS_KEY
#+END_EXAMPLE
-You can also check on the invalidation status like so:
+See:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
-#+BEGIN_EXAMPLE
-[0] address@hidden:~
-$ AWS_DEFAULT_REGION=us-east-1 AWS_PROFILE=guix aws cloudfront
get-invalidation --id I2PCH5JZ52HUX7 --distribution-id E2LCS83UL0PPNA
-{
- "Invalidation": {
- "Id": "I2PCH5JZ52HUX7",
- "Status": "Completed",
- "CreateTime": "2018-12-28T02:43:51.326Z",
- "InvalidationBatch": {
- "Paths": {
- "Quantity": 1,
- "Items": [
- "/*"
- ]
- },
- "CallerReference": "cli-1545965030-886799"
- }
- }
-}
-[0] address@hidden:~
-$
-#+END_EXAMPLE
+That documentation AWS CLI documentation, but the same ideas apply
+generally to other AWS SDKs and tools.
-See the following for details:
+Now, run "terraform init" in the directory containing the file
+"main.tf", and Terraform will download the AWS provider if you don't
+already have it.
-https://docs.aws.amazon.com/cli/latest/reference/cloudfront/create-invalidation.html
-https://docs.aws.amazon.com/cli/latest/reference/cloudfront/get-invalidation.html
-* Deployment Plan
-** DNS
-For information about how Guix has configured its DNS, please contact
-one of the system administrators or address@hidden
+Then run "terraform plan", and Terraform will tell you what changes it
+will make.
-For now, we plan to use ci.guix.info as the entrypoint into the CDN.
-Currently, ci.guix.info points to the berlin build farm. To integrate
-ci.guix.info with the CDN, we must change ci.guix.info to be a CNAME
-that points to the CloudFront distribution.
+After that, let's try creating it by running "terraform apply".
-** HTTPS (TLS)
-Because ci.guix.info and berlin.guixsd.org currently allow both HTTP
-and HTTPS (i.e., HTTP over TLS), we will do the same for the
-CloudFront distribution. However, in the future, to protect the
-confidentiality of connections between clients and our build farm (or
-the CDN), we should stop serving requests over HTTP.
+It worked, hooray! Now we can update ~/.aws/configuration with the
+newly created access key (you have to decrypt its secret part from the
+output using GnuPG) and then delete the safe-to-delete-admin user
+manually (without using Terraform). After that, we can control nearly
+all aspects of the AWS account and its resources via IAM users.
-In addition, because we want to support HTTPS, we will need to arrange
-for a TLS certificate for ci.guix.info to be used with the CloudFront
-distribution. For details on how this is done with CloudFront, see:
+**** Enable IAM users to view billing information
-https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-alternate-domain-names.html
+Some activities cannot be done by an IAM user, even an administrator,
+without taking some manual steps first to allow it. Read more here:
-Currently, the server behind berlin.guixsd.org (which currently, like
-ci.guix.info, is a single A record pointing to 141.80.181.40) returns
-a Let's Encrypt certificate with the following two Subject Alternative
-Names:
+https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
-- berlin.guixsd.org
-- ci.guix.info
+These tasks must be performed by the so-called "root user". The "root
+user" is a term that AWS uses to refer to, essentially, the entity
+that owns and has truly full control over all aspects of the account.
+It is not an IAM user.
-You can see this by running:
+One of these activities is viewing billing info, which is useful.
+Let's let IAM users do that:
- echo -n | openssl s_client ci.guix.info:443 | openssl x509 -text
+https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/grantaccess.html#ControllingAccessWebsite-Activate
-We are not going to re-use this certificate. Instead, we are going to
-provision a new certificate using Amazon Certificate Manager (ACM).
-We will do this because if we use an ACM certificate, we gain the
-following benefits:
+Once that's done, all administrators can now also view the billing
+information. In addition, it is now possible to define new IAM
+policies to grant the specific permission to view the billing
+information (but not anything else). For example, we could create a
+group called "accountants" that contains users who need access to view
+billing information (but nothing else).
-- ACM will automatically rotate our certificate.
-- The ACM CA, like many CAs, is already trusted by Guix's client
- software and so requires no additional action for clients to use.
-- By using ACM, we do not have to trust Amazon with the
- berlin.guixsd.org server's private key.
-- Using ACM is a purely additive operation, so rollback is easy.
-- This use of ACM incurs zero additional cost.
+**** Get invoice as PDF via email
-On the contrary, if we re-use berlin.guixsd.org's certificate, we must
-accept the following downsides:
+To further reduce the need to run JavaScript just to view your
+invoice, follow these instructions to have the invoice mailed to you
+as a PDF file:
-- Certificate rotation must be done manually, or via a cron job of
- some kind that we would have to implement and maintain. Even if
- Let's Encrypt makes it easy to rotate the certificate, importing
- that certificate into AWS and using it with the CloudFront
- distribution will require additional steps.
-- We must share the berlin.guixsd.org server's private key with AWS.
- If rolling back also means eliminating the risk introduced by
- sharing the private key, then rollback will also become more
- complicated.
+https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/emailed-invoice.html
-We could provision a new Let's Encrypt certificate to make rollback
-easier, but we would still have to import it into Amazon ourselves and
-rotate it manually. It just makes more sense to use Amazon
-Certificate Manger for this test. Perhaps in the future, if we decide
-to stick with CloudFront for a long time, we will implement our own
-automatic rotation mechanism so that we can provision and manage our
-own certificate.
+I have done this for our account. It seems this cannot be configured
+using Terraform or any existing AWS API.
-Finally, note that to provision a certificate with ACM will require
-access to both the AWS account and also the DNS provider account.
-This is because, as part of the certificate provisioning process, ACM
-requires us to demonstrate domain ownership. This can be done via
-email verification (in which ACM emails a bunch of admin emails
-associated with the domain) or DNS record verification (in which we
-create a nonce DNS record, specified by ACM, to demonstrate
-ownership).
+**** Enable cost explorer
-** Deployment, Validation, and Rollback
+This is Cost Explorer:
+https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/ce-what-is.html
-Summary of deployment, validation, and rollback plan.
+To ensure I have the ability to drill into the costs we might incur,
+I've enabled this for now. It isn't possible to enable it (yet) with
+Terraform configuration.
-*** Pre-Deployment
+Enabling it adds no additional cost to our bill, even if we choose to
+use the Cost Explorer tool in the AWS Management Console. However, if
+we choose to use the Cost Explorer APIs, those do cost extra.
-Before deploying, make sure the following has been done:
+**** Enable "Receive billing alerts"
-- Fully prepare a working CloudFront distribution using Terraform.
+It is necessary to enable "receive billing alerts" in order to create
+alarms on billing-related metrics. I've manually enabled this for our
+account. It isn't possible (yet?) to configure this in Terraform
+configuration. For details, see:
-*** Deployment
+https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/monitor_estimated_charges_with_cloudwatch.html
-Deploy as follows:
+** Configuration structure
-- Send an email to address@hidden and address@hidden, and notify the
- #guix chat room on Freenode, to let people know you are beginning.
-- Update DNS so ci.guix.info is a CNAME pointing to the CloudFront
- distribution's DNS name.
+There can be multiple files (*.tf, *.tfvars), or just one file. Name
+doesn't matter, as long as it ends in .tf or .tfvars. We could
+probably move our "variables.tf" into some kind of "variables.tfvars"
+file, but I haven't thought very much about the structure beyond that.
+It works, so that's good for now.
-*** Validation
+Configuration files can contain things like this:
-Validate ci.guix.info as follows:
+- provider(s)
+- resource(s)
+- module(s)
+- variable(s)
+- output(s)
-- Using "guix download", download a substitute. Confirm it succeeds.
-- Using "guix weather", check the weather of ci.guix.info. Confirm it
- succeeds and has more than 0% substitutes available.
-- Using "guix build", build something using substitutes. Confirm that
- Guix successfully updates substitute information and downloads
- substitutes.
-- Using IceCat, view the Cuirass web interface. Confirm it loads and
- behaves as expected.
-- After 24 hours, check the cache hit rate using the AWS Management
- Console and confirm that it is greater than 0%.
+For now, we have a file called "main.tf" that describes all the
+Terraform-managed resources, and another file named "variables.tf"
+that contains variables that are referenced by resources in "main.tf".
-*** Rollback
+See:
+https://learn.hashicorp.com/terraform/getting-started/variables
+"Note: that the file can be named anything, since Terraform loads all
+files ending in .tf in a directory. "
-Rollback as follows:
+* Questions and Concerns
+
+** Resources not managed by Terraform
+
+Some resources cannot currently be managed by Terraform.
+
+*** ACM Certificate Validation
-- Restore the original DNS record for ci.guix.info.
-- Disable the CloudFront distribution when the sooner of the following
- two conditions occurs:
- - Time passes equal to 2x the TTL of ci.guix.info.
- - Request rate to the CloudFront distribution decreases by at
- least 90% compared to before the rollback.
-- Repeat validation activities for ci.guix.info.
-- Send an email to address@hidden and address@hidden, and notify the
- #guix chat room on Freenode, to let people know you have rolled
- back.
-* Resources not managed by Terraform
-** ACM Certificate Validation
Initial validation of the ACM certificate requires manual creation of
DNS records. See the comment next to berlin-mirror-certificate in the
file "main.tf" for details.
-** Alarm Notifications via Email (i.e., SNS Topic Email Subscriptions)
+
+*** Alarm Notifications via Email (i.e., SNS Topic Email Subscriptions)
+
CloudWatch can send alerts via email. It does this by sending a
notification to an SNS topic. To receive an email from a topic, you
must subscribe to the topic. To do that, you must follow this
@@ -1390,3 +1369,73 @@ Terraform doesn't support the creation of email
subscriptions to SNS
topics, and it probably won't ever. See here for details:
https://www.terraform.io/docs/providers/aws/r/sns_topic_subscription.html
+
+** Terraform-specific Problems
+
+*** Downloads pre-built binaries
+
+https://learn.hashicorp.com/terraform/getting-started/build
+By default, "terraform init" downloads and installs "plugin" binaries.
+It would be better if they were packaged individually in Guix.
+
+*** Needs to keep track of some state
+
+https://learn.hashicorp.com/terraform/getting-started/build
+
+"Terraform also wrote some data into the terraform.tfstate file. This
+state file is extremely important; it keeps track of the IDs of
+created resources so that Terraform knows what it is managing. This
+file must be saved and distributed to anyone who might run
+Terraform. It is generally recommended to setup remote state when
+working with Terraform, to share the state automatically, but this is
+not necessary for simple situations like this Getting Started guide."
+
+consider using s3 backend for remote state
+https://www.terraform.io/docs/backends/
+https://www.terraform.io/docs/state/remote.html
+
+*** terraform registry
+
+a collection of 'modules':
+https://registry.terraform.io/
+
+** Questions
+
+*** Guix build farm (berlin)
+
+- Does it ever return 3xx (e.g. redirects)? Will those be interpreted
+ as redirects to the CloudFront distribution, or will it cause
+ clients to send requests directly to the build farm (which would be
+ undesirable)?
+- Are there any URLs that are not returning a Cache-Control (or
+ Expires) header but should be? The CloudFront distribution is
+ currently configured to cache a response for 24 hours if it omits
+ such a header.
+- Are there any URLs that are returning a Cache-Control (or Expires)
+ header but either (1) should actually omit the header or (2) is
+ specifying an unreasonable value?
+- Should we include "Cache-Control: max-age" or "Cache-Control:
+ s-maxage" in responses we want to be cached? It seems the
+ difference only matters when caching results in a web browser. For
+ our use case, I don't think we need to bother using s-maxage at all.
+- Is it OK to ignore query parameters, headers, and cookies when
+ deciding whether or not to cache? This might be a problem if
+ something, such as Cuirass, depends on their presence.
+
+*** Terraform
+
+- What does Terraform store in its "state"? Does it store anything
+ sensitive, like secrets? Depending on the configuration, it might
+ store secrets, and those secrets might be encrypted (e.g., by
+ someone's PGP key) in the state file. This is independent of any
+ server side encryption that might also be happening within the S3
+ bucket, in the case of the S3 backend.
+
+* How can we improve on this?
+
+- Package Terraform
+- Package the AWS Provider plugin for Terraform
+- Simplify variable definitions by using .tfvars file?
+- Use origin failover to serve requests via the CDN from berlin first,
+ and hydra second?
+
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/high_availability_origin_failover.html