Skip to main content
Manage Bring Your Own Infrastructure provisioning. The lifecycle is init (write the config) → generate (preview the change) → provision (apply it) — see the walkthroughs for the full setup.

init

Interactive wizard — writes the infrastructure config (_infra/synthetiq.yaml): 
synthetiq infra init \
  --domain apps.yourcompany.com \
  --profile <aws-profile>
With AWS credentials, init discovers your VPC, subnets, and issued certificates and writes concrete ids. Without credentials it runs in offline mode and prompts for the values. All flags are optional — they pre-answer the wizard’s prompts. With --yes (non-interactive) there are no prompts, so --domain is required and the certificates must be discoverable in the account or passed via --api-cert-arn / --cdn-cert-arn.
FlagDescription
--domain <domain>Base domain for apps (e.g. apps.yourcompany.com)
--region <region>AWS region for the infrastructure (default: us-east-1)
--profile <profile>AWS profile to use (default: environment credential chain)
--config <path>Config file to write (default: _infra/synthetiq.yaml)
--forceOverwrite an existing config file
--vpc-id <id>Use a specific VPC (default: discover)
--subnet-ids <ids>Comma-separated public subnet ids (≥ 3 AZs)
--nat-gateway-id <id>Reuse an existing NAT gateway
--private-subnet-ids <ids>Comma-separated existing private subnet ids
--api-cert-arn <arn>Issued ACM certificate for *.api.<domain>
--cdn-cert-arn <arn>Issued ACM certificate for *.<domain> (us-east-1)
--yesAccept defaults without prompting

generate

Compute the CloudFormation change sets from the config and write a reviewable changeset file — nothing is executed: 
synthetiq infra generate \
  --profile <aws-profile>
Exit codes match terraform plan -detailed-exitcode: 0 when nothing changed, 2 when changes are pending, 1 on error.
FlagDescription
--config <path>Config file to read (default: nearest _infra/synthetiq.yaml, searching upward)
--out <dir>Directory for changeset files (default: changesets/ next to the config)
--profile <profile>AWS profile to use (default: environment credential chain)

provision

Apply the pending changeset — executes exactly the reviewed change sets, prints the app DNS records, seeds the deploy key, and registers the account as your organization’s deployment target: 
synthetiq infra provision \
  --profile <aws-profile>
Requires a Synthetiq identity holding the infra:provision scope (your login locally, a service account in CI) — init and generate need no Synthetiq identity at all. Refuses to apply when the config changed since generate, when the stack moved underneath the change set, or when the changeset was generated by a different CLI version.
FlagDescription
--config <path>Config file to validate against (default: nearest _infra/synthetiq.yaml, searching upward)
--changeset <path>Changeset file (default: latest in changesets/ next to the config)
--changesets-dir <dir>Directory holding changeset files
--profile <profile>AWS profile to use (default: environment credential chain)
--skip-preflightSkip the IAM permission simulation
--allow-version-skewProceed even if this CLI version differs from the one that generated the changeset
--yesSkip confirmation

status

Show your organization’s registered deployment target — the result of the most recent provision: 
synthetiq infra status
Reports the registration status (ready, provisioning, failed, …) along with the AWS account, domain, and deploy role. Prints No deployment target registered when the organization has never provisioned.
FlagDescription
--jsonOutput the raw configuration as JSON

permissions

Print the IAM policy required for provisioning (JSON): 
synthetiq infra permissions \
  --stage generate
FlagDescription
--stage <stage>Print only what one stage needs: init, generate, or provision (default: provision — the full policy)
See Permissions for what each stage’s policy contains.